[RADIATOR] Feature request of sort: client, nas and proxy IP for Blacklisted users ?

Tuure Vartiainen vartiait at open.com.au
Tue Mar 28 10:15:20 UTC 2017 

Hello,

> On 27 Mar 2017, at 15:02, Patrik Forsberg <patrik.forsberg at ip-only.se> wrote:
> 
> I am using the Blacklist feature to block the most commonly used "bad" users so they won't even get into the password routine but trying to figure out from which router/NAS the login attempt was done is a hassle today with having to up the trace and filter through the debug log. Would it be possible to add NAS IP, Client IP and possibly the Proxy(if one was used) IP to the log message ?
> "Access rejected for 888888: Blacklisted" is sort of anonymous ..
> 

you can define FailureFormat configuration option for AuthLog where you can include wanted variables.

https://www.open.com.au/radiator/ref/SpecialCharacters.html#SpecialCharacters

Example config

# AuthLog FILE
<AuthLog FILE>
    Identifier My-AuthLog-File

    # Log accepts
    LogSuccess 1
    # Log format for accept
    SuccessFormat %l ACCEPT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}

    # Log failures
    LogFailure 1
    # Log format for failures
    FailureFormat %l REJECT user=%u from=%c nas=%N client=%{Request:Calling-Station-Id}

    # Auth log file
    Filename %L/auth-%Y-%m-%d.log
</AuthLog>

# Default Handler
<Handler>
    Identifier My-Default-Handler

    # Blacklist
    AuthBy AuthBy-Blacklist

    # Actual authentication
    AuthBy ...

    # AuthLog to be used
    AuthLog My-AuthLog-File
</Handler>


Logging used RADIUS proxy requires using ReplyHook and NoReplyHook to include proxy’s 
address in a request or reply.

https://www.open.com.au/radiator/ref/ReplyHook.html#ReplyHook
https://www.open.com.au/radiator/ref/NoReplyHook.html#NoReplyHook


Example for AuthBy RADIUS

ReplyHook sub { ${$_[2]}->add_attr('OSC-Last-Proxy-Address', (Radius::Util::unpack_sockaddr_in(${$_[3]}->{SendTo}))[1] ); }
NoReplyHook sub { ${$_[0]}->add_attr('OSC-Last-Proxy-Address', (Radius::Util::unpack_sockaddr_in(${$_[1]}->{SendTo}))[1] ); }

and then you can use %{Request:OSC-Last-Proxy-Address} in AuthLog’s SuccessFormat and FailureFormat directives.


Logging a failure for a proxied request which was never replied requires Radiator 4.17 which includes NoReplyReject config option

https://www.open.com.au/radiator/ref/NoReplyReject_AuthByRADIUS.html#NoReplyReject_AuthByRADIUS


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list