[RADIATOR] AuthBy FAILUREPOLICY always results in IGNORE

Ralf Wenk iz-osc2017 at hs-karlsruhe.de
Wed Feb 5 12:24:23 UTC 2020 

Hello,

I do net get AuthBy FAILUREPOLICY working as expected (from myself).

After extending a working handler with a AuthBy FAILUREPOLICY,
testing showed that it always returns IGNORE.
Especially after hitting the ConsecutiveFailures limit.

At trace level 4 using a wrong password always results in the same log
entries. These are:

DEBUG: Handling request with Handler 'Client-Identifier=IZ, Realm=VPN',
 Identifier 'VPN'
DEBUG: Rewrote user name to testuser
DEBUG: AuthBy FAILUREPOLICY result: IGNORE, No failure policy history
 exists in context ''
DEBUG: Handling with AuthSQL 'SQL_VPN'
DEBUG: Handling with Radius::AuthSQL: SQL_VPN
DEBUG: Query to 'dbi:mysql:database=...
DEBUG: Radius::AuthSQL looks for match with 'testuser' [testuser]
DEBUG: Radius::AuthSQL REJECT: Bad Password: 'testuser' [testuser]
DEBUG: AuthBy SQL result: REJECT, Bad Password
INFO: Access rejected for testuser: Bad Password

Defining a FailurePolicyContext just changes the printed context name.
The result stays the same. The same with UsernameMatchesWithoutRealm.

The handler statements are

<Handler Client-Identifier=IZ, Realm=VPN>
        AcctLogFileName %L/vpn/AcctLog-%Y-%m
        RewriteUsername s/@.+//o
        UsernameCharset a-z0-9
        <AuthBy FAILUREPOLICY>
                Identifier          Fail_Policy
                ConsecutiveFailures 5
                ConsecutiveLockTime 300
                CumulativeFailures  200
                CumulativeLockTime  14400
                CumulativeWindow    43200
        </AuthBy>
        AuthBy          SQL_VPN
        AuthLog         AuthLogFile-VPN
        AuthLog         AuthLogSyslog-VPN
        AuthLog         AuthLogSQL-VPN
        AuthBy          SQL_Acct_Log_VPN
        Identifier      VPN
</Handler>

and the Radiator version is 4.24-10.

I think the cause is behind the "No failure policy history exists ..."
message.

Did I make a wrong assumption or is there a configuration mistake in
the FAILUREPOLICY I do not see?


By the way, "3.114.8. CumulativeLockTime" of the manual shows
"ConsecutiveLockTime" as the configuration statement not the
"CumulativeLockTime" one.


Regards, Ralf

More information about the radiator mailing list