Was a bit confused with this one. You can't actually use msg_goodpass and/or msg_badpass unless auth_goodpass and/or auth_badpass is set to "yes." Doing this DOES force logging of passwords. (Comments in radiusd.conf seem to confirm.)
Did a bit more digging (ie. checked out source code and looked at it). It appears the functionality to log client IP (Calling-Station-Id) is already there -- you only need "auth = yes" in radiusd.conf enabled. Enabling "auth_badpass = yes" and/or "auth_goodpass = yes" and msg_goodpass/msg_badpass to include %{Calling-Station-Id} is not necessary. Specifically, there is a function in auth.c called auth_name() that is called during radlog_request(). This function will expand Calling-Station-Id for inclusion in the log message. It appears the actual NAS equipment I am using (Force10) just doesn't send a Calling-Station-Id; hence FreeRADIUS doesn't log it. Works fine with Cisco kit though. Mystery solved! -M On Sun, May 9, 2010 at 1:19 AM, Alan DeKok <al...@deployingradius.com> wrote: > Matt Hite wrote: >> It looks like I can possibly enable auth_badpass and auth_goodpass in >> radiusd.conf and then set: >> >> msg_goodpass = "%{Calling-Station-Id}" >> msg_badpass = "%{Calling-Station-Id}" > > Yes. > >> Is this going about it the right way? > > Yes. > >> Also, I really don't want the failed passwords to get logged. (I don't >> want to see my colleagues plain-text passwords.) If I do use the >> aforementioned technique, am I also going to see passwords? I'm >> guessing yes. > > No. See "auth_badpass" and "auth_goodpass" configuration items. If > they're set to "no", passwords are not logged. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html