Re: Logging Failed Attempts to MySql database
Paul Hampson wrote:
> There's only one issue for me to resolve, which is the same thing
> holding up the documentation... What happens when there's no section
> found or the Post-Auth-Type is not set? This is an issue for backwards
> compatibility. :-)
In this example:
Post-Auth {
foo_module
Post-Auth-Type bar {
bar_module
}
}
The current behaviour experimented (I only lauched some tests, I
didn't look at the source)
* if Post-Auth-Type is not set then call foo_module
* if Post-Auth-Type is set to "bar" then call bar_module only
It sounds correct to me.
--
Nicolas Baradakis
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Paul Hampson wrote: > > In fact I posted on freeradius-devel a set of patches: one adds > > support for "Post-Auth-Type REJECT" > > I'll get on to adding this to CVS over the weekend. Sorry, I've > been a little busy with the 0.9.1 release, and then the stuff I > was ignoring while worrying about the 0.9.1 release. :-) You don't have to apology. You did a great job with the 0.9.1 release and we (I and my coworkers in Cegetel) are really grateful. > There's only one issue for me to resolve, which is the same thing > holding up the documentation... What happens when there's no section > found or the Post-Auth-Type is not set? This is an issue for backwards > compatibility. :-) I read the patch again and I didn't see any problem. It looks for a "Post-Auth-Type REJECT" subsection before invoking rad_postauth() function. If not found, it keeps the previous behaviour: it doesn't do anything. > > and an other provides an "authlog_query" in sql.conf > > I'd have to go dig this patch up again, but wouldn't a postauth-query > work better? That way it's more general than just logging. The only > provisio is that the return value gets chucked, so INSERT, DELETE or > UPDATE are the only sensible options. You're absolutely right. It can do what you describe but I mess up the name of the option. It should be renamed "postauth_query". Minor things should be changed too (since Alan patched xlat.c later I have to modify the sample table I provided, and the sample query as well). I'm going to fix this and post the patch again as soon as possible. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
"Paul Hampson" <[EMAIL PROTECTED]> wrote: > > In fact I posted on freeradius-devel a set of patches: one adds > > support for "Post-Auth-Type REJECT" > > I'll get on to adding this to CVS over the weekend. Sorry, I've > been a little busy with the 0.9.1 release, and then the stuff I > was ignoring while worrying about the 0.9.1 release. :-) Thanks. I've been out of the loop a lot, with bizarre panic situations. > There's only one issue for me to resolve, which is the same thing > holding up the documentation... What happens when there's no section > found or the Post-Auth-Type is not set? This is an issue for backwards > compatibility. :-) I believe it's ignored. Any new installation SHOULD have Post-Auth-Type. > > and an other provides an "authlog_query" in sql.conf > > I'd have to go dig this patch up again, but wouldn't a postauth-query > work better? That way it's more general than just logging. The only > provisio is that the return value gets chucked, so INSERT, DELETE or > UPDATE are the only sensible options. Sounds reasonable to me. The server really needs more configurable logging. What GNU radius does is useful. Though I can't figure out how the heck they have more "C" code than FreeRADIUS, with 1/10 the functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Logging Failed Attempts to MySql database
> From: Nicolas Baradakis > Sent: Saturday, 13 September 2003 2:12 AM > Thor Spruyt wrote: > > > > The second point is you'll only get the login / password in the > > > database. For example the hotline staff may need the Calling-Station-Id > > > too. Therefore you need the rlm_sql module to execute the SQL query of > > > your choice after authentication. > > After authentication might mean: after a successful authentication > You're right. > In fact I posted on freeradius-devel a set of patches: one adds > support for "Post-Auth-Type REJECT" I'll get on to adding this to CVS over the weekend. Sorry, I've been a little busy with the 0.9.1 release, and then the stuff I was ignoring while worrying about the 0.9.1 release. :-) There's only one issue for me to resolve, which is the same thing holding up the documentation... What happens when there's no section found or the Post-Auth-Type is not set? This is an issue for backwards compatibility. :-) > and an other provides an "authlog_query" in sql.conf I'd have to go dig this patch up again, but wouldn't a postauth-query work better? That way it's more general than just logging. The only provisio is that the return value gets chucked, so INSERT, DELETE or UPDATE are the only sensible options. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
On Fri, 12 Sep 2003, Drew Decker wrote: > Is it possible to log the failed attempts to a mysql database? I would like > to develop a web interface for the technical support staff to let them view > the Failed attempts with out having to teach them how to use SSH etc. If > this is possible to do could you point me to a how-to or at least give me a > little information on where to get started? Thanks for you help in advance You can use the bin/log_badlogins script from dialupadmin to do exactly that. It will do a tail -f on radius.log and log all failed logins in the radacct table. > > Drew Decker > Network Administrator > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Thor Spruyt wrote: > > The second point is you'll only get the login / password in the > > database. For example the hotline staff may need the Calling-Station-Id > > too. Therefore you need the rlm_sql module to execute the SQL query of > > your choice after authentication. > > After authentication might mean: after a successful authentication You're right. In fact I posted on freeradius-devel a set of patches: one adds support for "Post-Auth-Type REJECT" and an other provides an "authlog_query" in sql.conf This way you can log goodpass or badpass with distinct queries if you want to. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
- Original Message - From: "Nicolas Baradakis" <[EMAIL PROTECTED]> > Thor Spruyt wrote: > > Install msyslog. That's a syslog server to replace the standard > > syslog server. Msyslog can put all syslog messages in a MySql > > database after which you can extract the necessary info from the > > database. > > The second point is you'll only get the login / password in the > database. For example the hotline staff may need the Calling-Station-Id > too. Therefore you need the rlm_sql module to execute the SQL query of > your choice after authentication. After authentication might mean: after a successful authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Alan DeKok wrote: > I would suggest configuring it to log to per-day and per-hour > 'detail' files, and then have a 'cron' job delete old files. I'm not > sure that there's any benefit to having authentication requests logged > permanently in a MySQL database. When you have multiple freeradius servers, you want to store authentication attempts in a database rather than a flat file. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
- Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> > Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > > The second point is you'll only get the login / password in the > > database. For example the hotline staff may need the Calling-Station-Id > > too. Therefore you need the rlm_sql module to execute the SQL query of > > your choice after authentication. > I would suggest configuring it to log to per-day and per-hour > 'detail' files, and then have a 'cron' job delete old files. I'm not > sure that there's any benefit to having authentication requests logged > permanently in a MySQL database. Might be handy for analysing stuff Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > The second point is you'll only get the login / password in the > database. For example the hotline staff may need the Calling-Station-Id > too. Therefore you need the rlm_sql module to execute the SQL query of > your choice after authentication. The CVS snapshots have an updated 'detail' module, which will log authentication requests & responses. I would suggest configuring it to log to per-day and per-hour 'detail' files, and then have a 'cron' job delete old files. I'm not sure that there's any benefit to having authentication requests logged permanently in a MySQL database. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Thor Spruyt wrote: > Drew Decker wrote: > > > Is it possible to log the failed attempts to a mysql database? I > > would like to develop a web interface for the technical support > > staff to let them view the Failed attempts with out having to > > teach them how to use SSH etc. If this is possible to do could you > > point me to a how-to or at least give me a little information on > > where to get started? Thanks for you help in advance > > Install msyslog. That's a syslog server to replace the standard > syslog server. Msyslog can put all syslog messages in a MySql > database after which you can extract the necessary info from the > database. The first point is you'll get a lot of useless data, but that's not an important issue. The second point is you'll only get the login / password in the database. For example the hotline staff may need the Calling-Station-Id too. Therefore you need the rlm_sql module to execute the SQL query of your choice after authentication. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
> Drew Decker wrote: > > > Is it possible to log the failed attempts to a mysql database? I would like > > to develop a web interface for the technical support staff to let them view > > the Failed attempts with out having to teach them how to use SSH etc. If > > this is possible to do could you point me to a how-to or at least give me a > > little information on where to get started? Thanks for you help in advance Install msyslog. That's a syslog server to replace the standard syslog server. Msyslog can put all syslog messages in a MySql database after which you can extract the necessary info from the database. Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > I posted the patch in the freeradius-devel mailing but nobody with CVS > write access put it in FreeRadius. Not every patch makes it into the server. Some are untested, some are unnecessary, and some are plain wrong. If enough people say a patch is useful, we'll take a serious look at adding it in. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Logging Failed Attempts to MySql database
Drew Decker wrote: > Is it possible to log the failed attempts to a mysql database? I would like > to develop a web interface for the technical support staff to let them view > the Failed attempts with out having to teach them how to use SSH etc. If > this is possible to do could you point me to a how-to or at least give me a > little information on where to get started? Thanks for you help in advance I needed this too and I already made a patch. I posted the patch in the freeradius-devel mailing but nobody with CVS write access put it in FreeRadius. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
