David Lloyd writes:
> On Thu, 11 Nov 1999, Jason J. Horton wrote:
>
> >We have an ancient radius server that auths via the unix password file, and
> >we want to move those users to our radiator system. To make it interesting,
> >we want to have the passwords in cleartext instead of crypted passwords. Is
> >there any way we can configure Radiator to log an incoming radius request to
> >a flatfile or SQL, say storing username and password (assuming both come thru
> >in cleartext)? This way we can take the entries and dump em into our
> >subscribers table?
>
> Radiator already has this facility. It is called PasswordLogFile I
> believe. It's great for troubleshooting connections, you can tell a
> customer when they're typing in their password in all caps or something
> like that. :-)
The only problem with PasswordLogFile is that it doesn't catch instances where
the username was mistyped. I haven't had a chance to look at that portion of
the code yet to see if it can be added, but it is certainly something that I
wished was there.
Looking back at our records (which go back to Dec 1995), about 85% of all
failed logins are due to invalid username/password. The other 15% of failed
logins are due to the account being turned off because of unpayed bills or
extended non-use (we only charge them what they use, not by a montly flat
rate like most ISP's).
It becomes more difficult to tell what distribution is bad username vs bad
password in our old system, since I didn't distinguish between the two and
only logged "Invalid Username/Password" to the log file. However, it does
look like about a third of the failed logins were bad usernames, and the
other two thirds were for failed passwords.
The point I am generally making is that from a support standpoint, they need
to see all rejected authentication attempts, not just the ones that had good
usernames and bad passwords.
Since I wrote my own authentication module, I implemented my own rejected
log that does just this. However, I did it a bit differently. Basically,
all failed authentication attempts get logged to a reject log using the
same format that the accounting log files are written in (ATTRIB=VALUE).
This allows me to catch other aspects of the failed calls, such as their
phone numbers, whether they are using ASYNC or ISDN, etc.
Anyways, that is my 2 cents worth.
Scott
--
+-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
Scott W. Adkins http://www.cns.ohiou.edu/~sadkins/
UNIX Systems Engineer mailto:[EMAIL PROTECTED]
ICQ 7626282 Work (740)593-9478 Fax (740)593-1944
+-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+=-=-=-=-=-=-=-=-+
CNS, HDL Center, Suite 301, Ohio University, Athens, OH 45701-2979
===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
