Heikki,
You are correct, I'm using multiple AuthBy clauses with AuthByPolicy ContinueUntilAcceptOrChallenge set. I need to do this to check membership in multiple AD groups. That could explain why I always get messages for the user not being found. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938 <tel:+13193840938> Fax: +1 319 335-2951 <tel:+13193352951> E-Mail: neil-john...@uiowa.edu Lync: neil-john...@uiowa.edu <sip:neil-john...@uiowa.edu> On 12/10/13 9:27 AM, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 12/09/2013 06:29 PM, Johnson, Neil M wrote: > >> I'm SYSLOGing @ Trace Level 2 and SYSLOGing Authentication Failues. >> >> Doing some testing: >> >> Using an unknown user name I get one log message from the <AUTHLOG>: >> Dec 9 10:21:35 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: >> 10:21:35 | 02-00-00-00-00-01 | wlantes...@uiowa.edu | FAIL: EAP MSCHAP >>V2 >> failed: no such user wlantest0X | | NAS-IP 127.0.0.1 > >Trying with AuthBy LSA I get these results without and with group check >option enabled: > >Tue Dec 10 17:14:03 2013:test-useri::EAP MSCHAP-V2 Authentication >failure:FAIL >Tue Dec 10 17:14:53 2013:test-useri::EAP MSCHAP V2 failed: no such user >test-useri:FAIL > >The username is invalid and when group check is enabled, this is flagged >as 'no such user ...'. However, this message does not go into authlog: > >Tue Dec 10 17:14:03 2013: WARNING: Could not LogonUserNetworkMSCHAP >(V2): 3221225581, 0, The user name or password is incorrect. > >> Using an bad password I get one message from the RADIUS server and one >> from the <AUTHLOG>: >> Dec 9 10:21:56 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: >> Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: >> unknown user name or bad password.#015 >> Dec 9 10:21:57 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: >> 10:21:57 | 02-00-00-00-00-01 | wlantes...@uiowa.edu | FAIL: EAP MSCHAP >>V2 >> failed: no such user wlantest02 | | NAS-IP 127.0.0.1 > >This is where I get different results too. Are you perhaps using >multiple AuthBys for PEAP inner authentication? I'd say plain AuthBy LSA >does not return 'no such user' for bad password. > >It does appear though, that there is room for improvement when logging >failures since e.g., NTLM and LSA subsystems may return more information >than what is currently logged by authlog. I'll see what can be done to >make this information available instead of just returning '... >Authentication failure ...'.k > >> I was hoping that I could differentiate between an unknown user id and a >> bad password with out using a higher logging level so our security >>office >> can identify attack attempts. > >I'm not sure if LSA will tell if the username or password was incorrect. >If LSA is used with e.g., AuthBy LDAP2, then the information should be >more easily available as LDAP search result. > >Thanks, >Heikki > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator