I recently set up a banned mac address database to reject authentication from proved compromised clients.
I'd like to have a significant record in freeradius logfile for connection debugging reasons. Ways I use to implement this results in ambiguous "Invalid user" or "Login incorrect" misleading messages in radius.log . Users are in effect valid and correct, but their equipment is not. Does anybody know how this scenario can be improved? ----------- Relevant lines of default virtual server authorize section are: authorize { if ( "%{Calling-Station-Id}" =~ /([a-fA-F0-9]{2}.?){6}/ && "%{sql: SELECT 1 FROM callingstidbanlist WHERE mac='%{Calling-Station-Id}'}" == 1 ) { update reply { # Select ban reason from radgroupreply Port-Message attribute related to the ban group Reply-Message := "Access forbidden from this terminal ( %{sql: SELECT value FROM radgroupreply WHERE attribute = 'Port-Message' AND groupname IN (SELECT bangroup FROM callingstidbanlist WHERE mac = '%{Calling-Station-Id}' ) ; } ) ." } #update control { # Auth-Type := Reject #} # Line in radius.log: # Auth: Login incorrect: [myusername] (from client wall1-wigate1 port 122 cli 00-1C-CC-C3-C7-1A) reject # Line in radius.log: # Auth: Invalid user: [myusername] (from client wall1-wigate1 port 122 cli 00-1C-CC-C3-C7-1A) } } -- Daniele ALBRIZIO - albri...@univ.trieste.it Tel. +39-040.558.3319 UNIVERSITY OF TRIESTE - Network Services Divisione V - Infrastrutture e Servizi Informativi via Alfonso Valerio, 12 I-34127 Trieste, Italy Sezione Infrastrutture Informatiche e Telematiche - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html