I'm SYSLOGing @ Trace Level 2 and SYSLOGing Authentication Failues. Doing some testing:
Using an unknown user name I get one log message from the <AUTHLOG>: Dec 9 10:21:35 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: 10:21:35 | 02-00-00-00-00-01 | wlantes...@uiowa.edu | FAIL: EAP MSCHAP V2 failed: no such user wlantest0X | | NAS-IP 127.0.0.1 Using an bad password I get one message from the RADIUS server and one from the <AUTHLOG>: Dec 9 10:21:56 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: unknown user name or bad password.#015 Dec 9 10:21:57 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: 10:21:57 | 02-00-00-00-00-01 | wlantes...@uiowa.edu | FAIL: EAP MSCHAP V2 failed: no such user wlantest02 | | NAS-IP 127.0.0.1 I was hoping that I could differentiate between an unknown user id and a bad password with out using a higher logging level so our security office can identify attack attempts. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938 <tel:+13193840938> Fax: +1 319 335-2951 <tel:+13193352951> E-Mail: neil-john...@uiowa.edu Lync: neil-john...@uiowa.edu <sip:neil-john...@uiowa.edu> On 11/26/13 3:27 AM, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 11/22/2013 05:53 PM, Johnson, Neil M wrote: > >> We are using AuthByLSA and EAP/PEAP/MSCHAPv2 for wireless >>authentication. >> >> The only message we see in our AuthLog when a user is either >> non-existiant or has a bad password is: >> Nov 22 03:33:13 itsnt552.iowa.uiowa.edu <http://itsnt552.iowa.uiowa.edu> >> c: \Perl64\bin\radiusd[2056]: 03:33:13 | A0-F4-50-AF-8A-76 | >> pheneg...@uiowa.edu <mailto:pheneg...@uiowa.edu> | FAIL: EAP MSCHAP V2 >> failed: no such user pheneg...@uiowa.edu <mailto:pheneg...@uiowa.edu> | >> | NAS-IP 128.255.11.136 >> >> However right before the AuthLog message we get the following Trace 2 >> message Logged. >> Nov 22 03:33:13 itsnt552.iowa.uiowa.edu <http://itsnt552.iowa.uiowa.edu> >> c: \Perl64\bin\radiusd[2056]: Could not LogonUserNetworkMSCHAP (V2): >> 3221225581, 0, Logon failure: unknown user name or bad password.#015 > >Hello Neil, > >the status (return) value from the logon call is 3221225581, or >0xC000006D in hex. The MS NTSTATUS list: >http://msdn.microsoft.com/en-us/library/cc704588.aspx tells: > >'... bad username or authentication information.' > >The substatus code in the error message is 0. If you look at the error >logs, do you see different values for status and substatus values? For >example, 0xC000006D and 0xC0000064 for 'bad username or authentication >information' and 'no such user'. > >> Is there away to differentiate between "unknown user name" and "bad >> password" in the logs. > >The logon call returns just status, and substatus can be fetched >separately, so the two values in the log message is the only information >available. However, you may want to check if the values change based on >the real reason such has bad password or non-existing user. > >> It would help us track down users with misconfigured wireless devices. > >Please let us know if the above helps. It may depend on the windows >environment, so I can not tell for sure what the status codes will tell. > >Thanks, >Heikki > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. >_______________________________________________ >radiator mailing list >radiator@open.com.au >http://www.open.com.au/mailman/listinfo/radiator _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator