[RADIATOR] Multiple auth failure handling

Kiernan Mccoll kiernan at staff.iinet.net.au
Thu Jun 25 20:58:41 CDT 2009


Why not just walled garden all failures?


-----Original Message-----
From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au] On Behalf Of Jim Tyrrell
Sent: Thursday, June 25, 2009 7:35 PM
To: radiator at open.com.au
Subject: [RADIATOR] Multiple auth failure handling

Hi,

I have been looking at our accounting logs and realised that 50% of all
the radius traffic is authentication failures for a relatively small
number of users.  I want to implement a solution to put the users into a
walled garden if they continue to fail and was thinking of somehow
logging failed auths to MySQL and using a handler such as:

<Handler Realm = blah.com>
    ContinueWhileReject
    <AuthBy LDAP2>
        LDAP Stuff
    </AuthBy>
    <AuthBy SQL>
         If user in SQL DB then auth and setup for walled garden with
session timeout
    </AuthBy>
</Handler>

So if the session is reject it then checks against MySQL to see if the
user is in there, or in there X number of times and if so accept and
return attributes to put them into a walled garden.
Does this make sense?  I have done some searching and other solutions
were generally using hooks and I want to avoid using my shoddy perl
skills if possible.

What would be the best way to get failed authentications into MySQL?  I
could then either query for count of failed sessions or have a job on
the MySQL server to produce a table of top failing users.

Failing that I could just have a script on each radius server to get the
frequent users from the Radiator logs and put into a text file and then
have my 2nd authby look at this file but MySQL would give me more
flexibility and would be visible to support staff.

Thanks.

Jim.
_______________________________________________
radiator mailing list
radiator at open.com.au
http://www.open.com.au/mailman/listinfo/radiator


More information about the radiator mailing list