[RADIATOR] Multiple auth failure handling

Hugh Irvine hugh at open.com.au
Fri Jun 26 03:58:39 CDT 2009 

Hello Jim -

Could you clarify what you are wanting to do?

You cannot both accept and reject the same RADIUS request(s).

regards

Hugh


On 26 Jun 2009, at 18:21, Jim wrote:

> I would but apparently we want our customers to get the standard
> authentication failure responses normally, and thats what our main
> resellers want.
>
> Jim.
>> -----Original Message-----
>> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au 
>> ]
>> On Behalf Of Kiernan Mccoll
>> Sent: 26 June 2009 02:59
>> To: radiator at open.com.au
>> Subject: Re: [RADIATOR] Multiple auth failure handling
>>
>> Why not just walled garden all failures?
>>
>>
>> -----Original Message-----
>> From: radiator-bounces at open.com.au [mailto:radiator-bounces at open.com.au 
>> ]
>> On Behalf Of Jim Tyrrell
>> Sent: Thursday, June 25, 2009 7:35 PM
>> To: radiator at open.com.au
>> Subject: [RADIATOR] Multiple auth failure handling
>>
>> Hi,
>>
>> I have been looking at our accounting logs and realised that 50% of  
>> all
>> the radius traffic is authentication failures for a relatively small
>> number of users.  I want to implement a solution to put the users  
>> into a
>> walled garden if they continue to fail and was thinking of somehow
>> logging failed auths to MySQL and using a handler such as:
>>
>> <Handler Realm = blah.com>
>>    ContinueWhileReject
>>    <AuthBy LDAP2>
>>        LDAP Stuff
>>    </AuthBy>
>>    <AuthBy SQL>
>>         If user in SQL DB then auth and setup for walled garden with
>> session timeout
>>    </AuthBy>
>> </Handler>
>>
>> So if the session is reject it then checks against MySQL to see if  
>> the
>> user is in there, or in there X number of times and if so accept and
>> return attributes to put them into a walled garden.
>> Does this make sense?  I have done some searching and other solutions
>> were generally using hooks and I want to avoid using my shoddy perl
>> skills if possible.
>>
>> What would be the best way to get failed authentications into  
>> MySQL?  I
>> could then either query for count of failed sessions or have a job on
>> the MySQL server to produce a table of top failing users.
>>
>> Failing that I could just have a script on each radius server to  
>> get the
>> frequent users from the Radiator logs and put into a text file and  
>> then
>> have my 2nd authby look at this file but MySQL would give me more
>> flexibility and would be visible to support staff.
>>
>> Thanks.
>>
>> Jim.
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list