On 12/09/2013 06:29 PM, Johnson, Neil M wrote: > I'm SYSLOGing @ Trace Level 2 and SYSLOGing Authentication Failues. > > Doing some testing: > > Using an unknown user name I get one log message from the <AUTHLOG>: > Dec 9 10:21:35 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: > 10:21:35 | 02-00-00-00-00-01 | [email protected] | FAIL: EAP MSCHAP V2 > failed: no such user wlantest0X | | NAS-IP 127.0.0.1
Trying with AuthBy LSA I get these results without and with group check option enabled: Tue Dec 10 17:14:03 2013:test-useri::EAP MSCHAP-V2 Authentication failure:FAIL Tue Dec 10 17:14:53 2013:test-useri::EAP MSCHAP V2 failed: no such user test-useri:FAIL The username is invalid and when group check is enabled, this is flagged as 'no such user ...'. However, this message does not go into authlog: Tue Dec 10 17:14:03 2013: WARNING: Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, The user name or password is incorrect. > Using an bad password I get one message from the RADIUS server and one > from the <AUTHLOG>: > Dec 9 10:21:56 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: > Could not LogonUserNetworkMSCHAP (V2): 3221225581, 0, Logon failure: > unknown user name or bad password.#015 > Dec 9 10:21:57 itsnt808.iowa.uiowa.edu c: \Perl64\bin\radiusd[1832]: > 10:21:57 | 02-00-00-00-00-01 | [email protected] | FAIL: EAP MSCHAP V2 > failed: no such user wlantest02 | | NAS-IP 127.0.0.1 This is where I get different results too. Are you perhaps using multiple AuthBys for PEAP inner authentication? I'd say plain AuthBy LSA does not return 'no such user' for bad password. It does appear though, that there is room for improvement when logging failures since e.g., NTLM and LSA subsystems may return more information than what is currently logged by authlog. I'll see what can be done to make this information available instead of just returning '... Authentication failure ...'.k > I was hoping that I could differentiate between an unknown user id and a > bad password with out using a higher logging level so our security office > can identify attack attempts. I'm not sure if LSA will tell if the username or password was incorrect. If LSA is used with e.g., AuthBy LDAP2, then the information should be more easily available as LDAP search result. Thanks, Heikki -- Heikki Vatiainen <[email protected]> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
