[RADIATOR] Password logging not working..

[Heikki Vatiainen]

On 1.3.2023 8.40, Steve Phillips via radiator wrote:

> So I guess my questions are twofold;
> 
> a) Why is the PasswordLogFile line not working?

Likely because of this:
https://files.radiatorsoftware.com/radiator/ref/Handler.html#PasswordLogFileName

"... Attempts where the user is not found, are not logged. ..."

When there's a problem with fetching user information from LDAP, 
Radiator won't log password information.

> b) How can I get the PreAuthHook to write the passwords to the 
> PASSWORDLOG identifier/log entry?

You could do this to always log information from PreAuthHook:
1) Add an Identifier, for example 'Identifier abc-handler' within the 
Handler
2) Within the hook, similar to $logger, 'my $handler = 
Radius::Configurable::find('Handler', 'abc-handler');
3) For the selected usernames, call the password logger directly. For 
example '$handler->logPassword($user, $pass, 'correct-pw-is-unknown', 0, 
$p);"

Parameter '0' (or any boolean false value) causes the password logger to 
log 'FAIL'. Parameter 'correct-pw-is-unknown' is simply a placeholder 
value because at this point there's no information what the user's 
expected password might be. Note that when the user is found, you should 
get two entries for the user; one from the hook and the other from the 
configured password logging.

It's possible also to arrange and use <Log ...> clauses for this, but 
logging via PasswordLogFileName method also automatically turns itself 
off when the configuration parameter is removed or commented out from 
the configuration. This gives an additional visible hint that password 
logging is currently enabled.

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.