Hello Viraj -
At 17:03 -0500 00/11/8, Viraj Alankar wrote:
>Hello,
>
> We have a situation where we would like to attempt authentication
>via SQL and if that fails, to log the attempt, and send an access accept
>anyhow. Basically it will be free authentication, but I'd like to know
>what requests would have failed.
>
> What I have currently in my config is similar to this:
>
><Realm /^blah.com$/i>
> ...
> PasswordLogFileName %D/blah.com.passwd.log
> AuthByPolicy ContinueUntilAccept
>
> AuthBy Local_Mysql_DB
>
> <AuthBy FILE>
> Filename %D/blah.com.defaults
> </AuthBy>
></Realm>
>
>And within blah.com.defaults I have:
>
>DEFAULT Realm = "blah.com"
> Service-Type = Framed-User,
> Framed-Protocol = PPP,
> Framed-IP-Address = 255.255.255.254,
> Framed-IP-Netmask = 255.255.255.255,
> Session-Timeout = 82800,
> Idle-Timeout = 900,
> Framed-MTU = 1500
>
>This works just fine for users that exist in the database. However the
>password log doesn't contain the non-existant users. I found an old
>message on this topic in the archives stating there are plans to add this
>capability. Have there been any changes to add this capability?
>
>I understand it can be done with a hook, but I'm not too sure how to do
>this. The above Realm will be under heavy load, averaging about 20
>requests/sec. Passwdlogfilename suffices for existing users. If I were to
>add a hook, how could I set it up such that it is only executed if the
>user does not exist? I'm a little confused on how to do that, or if there
>are alternatives.
>
I think your best option is with a PostAuthHook that checks for the
presence of a certain attribute in the reply and if it is there, logs
accordingly.
In the blah.com.defaults you would add a pseudo-attribute that you
would check in the hook and log if it is present - ie. the AuthBy
FILE was executed.
DEFAULT Realm = "blah.com"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
Session-Timeout = 82800,
Idle-Timeout = 900,
Framed-MTU = 1500,
Log-Flag = True
The example hooks in goodies/hooks.txt will give you a good idea of
what to do (it will be less than 10 lines I would think). Don't
forget to strip the Log-Flag attribute before replying to the NAS.
BTW - our testing on a 500mhz Pentium III with RedHat 6.2 was giving
us between 200 and 300 requests per second.
regards
Hugh
--
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
