FreeRADIUS setting to reject user without logging

Question

We use FreeRADIUS to authenticate customer PPP sessions. In some instances it is necessary to block customers, when they cease or fail to pay their bills. At the moment we set an incorrect password or lock the account, but this leads to the FreeRADIUS log filling up with failed auth requests.

I would like to implement something to block these users but without polluting the log with thousands of lines of failed requests. Interested to hear others' experience and suggestions of the best way to do so.

I have considered setting a null IP address that black holes the traffic, but interested to hear other ideas, such as a policy change to block certain users based on attributes in radcheck DB table etc.

Arran Cudbard-Bell · Answer 1 · 2019-10-05T18:43:28.463

0

radiusd.conf - Set log { auth_reject = no }

This was added to the v3.0.x series, so if you're using <= v2.0.x you'll need to upgrade.

If you want to apply this to a limited set of users, you unfortunately need to disable auth reject logging entirely, and instead use the linelog module to write out messages in a similar format to the authentication log.

The authentication log will be removed in FreeRADIUS >= v4.0.x anyway, because it's duplicative functionality. So one less thing to change if/when you upgrade.

edited Oct 05 '19 at 18:43

answered Oct 04 '19 at 15:09

Arran Cudbard-Bell

1,514
1
9
18

Thanks, how might I apply this only to a subset of users? It is useful to see the access reject messages in most cases – btongeorge Oct 04 '19 at 23:53
Updated response – Arran Cudbard-Bell Oct 05 '19 at 18:43

FreeRADIUS setting to reject user without logging

1 Answers1