> I will pursue the RFE with support. Security should work the same
> between the logon prompt and PAP.
>
> I wouldn't expect radius accounting to log attempts. Its much easier to
> have the authenticating code do the logging. Its a one word change to
> have radius write the attempts to syslog.
>
> Any good security system will do logging of all attempts (good and bad)
> as well as inhibiting a systematic attack.
>
I especially agree with the last sentence. IMHO, one shouldn't have to
put radius in a debug mode to see failed attempts, especially since one
would have to sift through (or at least store) reams of "acceptable" debug
messages per day.
> To the ISPs reading this, you probably have already been broken into and
> someone is using your customer's accounts for free access.
>
True, but this doesn't necessarily follow as a failure in Radius. It's
relatively easy to get a "feel" for your customer's usage patterns (or to
build the tools to gauge patterns if you're a large shop). One could even
go so far as to compare userid with the phone number they call from (if
you have that capability in your area) and raise red flags if an account
is calling from several different phone numbers or is logged on at the
same time from different locations.
In other words, it *is* currently possible to track account abuses through
Radius accounting, but it is certainly inconvenient when compared to the
simple code changes required to log bad attempts.
If Radius accounting isn't designed to log bad attempts and would cause
problems for existing tools, then this functionality could certainly be
added to the syslog routines in ComOS (i.e. at auth.err facility).
> Roy
>
>
> MegaZone wrote:
> >
> > Once upon a time Roy shaped the electrons to say...
> > >Someone is trying to break in by trying userid/password combinations.
> > >COMOS seems to disconnect after three invalid tries when using the logon
> > >prompt but this does not happen with PAP.
> >
> > Normally in PPP you make a best effort at convergence, as long as the
> > client is willing to try you work with it. If you want this behavior
> > changed I would talk to support about an RFE.
> >
> > >Also note that Radius 2.01 will no log these attempts. This error is
> >
> > RADIUS accounting is not meant to be used in this manner. It logs
> > successful connections only, not attempts. It is not supposed to log
> > attempts. Logging failed attempts is beyond the scope of RADIUS accounting,
> > and would cause trouble for existing tools. RADIUS provides debugging (as
> > you are using) to look at other things - like attempts.
> >
> > -MZ
> > --
> > Livingston Enterprises - Chair, Department of Interstitial Affairs
> > Phone: 800-458-9966 510-737-2100 FAX: 510-737-2110 megazone@livingston.com
> > For support requests: support@livingston.com <http://www.livingston.com/>
> > Snail mail: 4464 Willow Road, Pleasanton, CA 94588
> > -
> > To unsubscribe, email 'majordomo@livingston.com' with
> > 'unsubscribe portmaster-users' in the body of the message.
> -
> To unsubscribe, email 'majordomo@livingston.com' with
> 'unsubscribe portmaster-users' in the body of the message.
-- John-David Childs (JC612) Enterprise Internet Solutions System Administrator @denver.net/Internet-Coach/@ronan.net & Network Engineer 1031 S. Parker Rd. #I-8 Denver, CO 80231 As of this^H^H^H^H next week, passwords will be entered in Morse code. - To unsubscribe, email 'majordomo@livingston.com' with 'unsubscribe portmaster-users' in the body of the message.