On Mon, 14 Jul 2003 06:07 pm, Keith Yoder wrote:
> I am going to add a table to blacklist CallingStationIDs that aren't
>
> >>allowed to connect no matter what password they use to keep out old
> >>users who cancelled to use their neighbor's / cousin's / mother-in-law's
> >>account.
> >
> >Good idea. Send it to me when you have done it :-)
>
> Peter,
> The fact that someone else might be interested in this feature was
> enough for me to go ahead and do it. I created a table:
>
> CREATE TABLE `bad_callingstationids` (
> `CALLINGSTATIONID` varchar(18) NOT NULL default '',
> `OBSERVATION` varchar(100) NOT NULL default '',
> PRIMARY KEY (`CALLINGSTATIONID`)
> );
>
> and then altered our authorize_check_query to the following
>
> SELECT logins.USUARIO,logins.LOGIN,Attribute,logins.SENHA,op,
> bad_callingstationids.CALLINGSTATIONID
> FROM usuarios.logins, usuarios.usuarios LEFT JOIN
> radius.bad_callingstationids ON '%{Calling-Station-Id}' =
> bad_callingstationids.CALLINGSTATIONID WHERE usuarios.CADASTRO =
> logins.USUARIO
> AND usuarios.ATIVO = 1
> AND logins.LOGIN = '%{SQL-User-Name}'
> AND bad_callingstationids.CALLINGSTATIONID IS NULL
> ORDER BY USUARIO
>
> Like I said before we use an existing database schema to store user and
> password info. The important part is the LEFT JOIN in the FROM clause.
> I was going to use a sub-query but MySQL 4.1.0 doesn't fully support
> them yet. (I guess that would be another good reason to use Postgres :) )
>
> I'm interested in any feedback. I don't know if this was the best way
> to do this but it works for me.
OK. I will check this out later. I think I will stick something like this into
CVS for the next version of FreeRadius (not 0.9.0 but the one after)
I may try to make it a little more generic, I will se when I play with it some
more.
> Peter, I get the impression you are one of the developers for the
> rlm_sql module.
Erm, I am sort of a random hacker who Alan was stupid enough to give CVS
access to and I have been busy causing trouble ever since :-)
For the most part I look after the SuSE build scripts, and Postgres related
stuff that no-one else has gotten around to fixing. :-)
> I'm interested in putting the radius log into a
> database. This would help me give our support staff information to
> diagnose people who don't know who to type their password correctly and
> other such things.
I it also obviously a security risk to have your passwds in plain text...
Hence the reason why passwd logging is disabled by default on FR.
>Do you know if anyone else has worked on this at
> all? Is anyone else interested?
This would require an extra module I think. It's not likely to happen
immediately unless you write it :-)
You could also do this by modifying some of the addon scripts available for
syslog-ng. Note: FreeRadius doe not use syslog but you should be able to
follow the links that mention logging to DB from:
http://www.campin.net/syslog-ng/faq.html
It will give you an idea of where to start..
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
