How to Reject User During Authentication

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to Reject User During Authentication

Selahattin Cilek
Hi.

I have one FreeRADIUS 2.2.9 server running in a student dorm. The server depends on MySQL as its backend. There is also a .NET application I have written to manage and monitor the "raddb" database, which I have customised to suit their needs.

All has been going well for about 6 months. But the dorm director has run into a problem today. There are only a handful of students staying in the dorm. All others are on vacation. Using the .NET application, the director has found out that some students log in to the network using the credentials of some other students that are away. Apparently, they share passwords with fellow students. But the director cannot let that happen. It is against the law to use some other person's credentials to gain access to services, and it does not matter if there is consent. It is very much like lending your passport to a friend. So he asked me to come up with a way to prevent that from happening again.

Since we can't just delete the missing students from the database,  I decided to append another field to an existing database table that I use to keep track of network usage (table: usage, column: locked). I also made changes to the .NET application to make it possible for the director to "lock" those users that are away. When a user's "locked" field is set to 1, the "datacounter_auth.sh" script detects this and does not authorise him.

So what is the problem? The problem is that "datacounter_auth.sh" is executed *after* the user is authenticated. What I would like to do is to prevent a locked user from ever passing the authentication phase, because the system logs that as a valid login. We can't let that happen either because the law stipulates that we keep an accurate log of user logins.

So my question is: How can I make authentication fail using an SQL statement *even if* the user provides valid credentials?

Good luck and good day.





[https://ipmcdn.avast.com/images/icons/icon-envelope-tick-round-orange-animated-no-repeat-v1.gif]<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>      Virus-free. www.avast.com<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to Reject User During Authentication

Alan DeKok-2
On Aug 11, 2017, at 1:02 PM, Selahattin Cilek <[hidden email]> wrote:
> All has been going well for about 6 months. But the dorm director has run into a problem today. There are only a handful of students staying in the dorm. All others are on vacation. Using the .NET application, the director has found out that some students log in to the network using the credentials of some other students that are away. Apparently, they share passwords with fellow students. But the director cannot let that happen. It is against the law to use some other person's credentials to gain access to services, and it does not matter if there is consent. It is very much like lending your passport to a friend. So he asked me to come up with a way to prevent that from happening again.
>
> Since we can't just delete the missing students from the database,  I decided to append another field to an existing database table that I use to keep track of network usage (table: usage, column: locked). I also made changes to the .NET application to make it possible for the director to "lock" those users that are away. When a user's "locked" field is set to 1, the "datacounter_auth.sh" script detects this and does not authorise him.
>
> So what is the problem? The problem is that "datacounter_auth.sh" is executed *after* the user is authenticated.\

  Because you configured it to do that.  The server can run scripts before authentication.  See raddb/modules/exec as an example.

> What I would like to do is to prevent a locked user from ever passing the authentication phase, because the system logs that as a valid login. We can't let that happen either because the law stipulates that we keep an accurate log of user logins.
>
> So my question is: How can I make authentication fail using an SQL statement *even if* the user provides valid credentials?

  Check for the locked user in the "authorize" section.  That happens before authentication.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to Reject User During Authentication

Selahattin Cilek


On 11.08.2017 14:28, Alan DeKok wrote:

> On Aug 11, 2017, at 1:02 PM, Selahattin Cilek <[hidden email]> wrote:
>> All has been going well for about 6 months. But the dorm director has run into a problem today. There are only a handful of students staying in the dorm. All others are on vacation. Using the .NET application, the director has found out that some students log in to the network using the credentials of some other students that are away. Apparently, they share passwords with fellow students. But the director cannot let that happen. It is against the law to use some other person's credentials to gain access to services, and it does not matter if there is consent. It is very much like lending your passport to a friend. So he asked me to come up with a way to prevent that from happening again.
>>
>> Since we can't just delete the missing students from the database,  I decided to append another field to an existing database table that I use to keep track of network usage (table: usage, column: locked). I also made changes to the .NET application to make it possible for the director to "lock" those users that are away. When a user's "locked" field is set to 1, the "datacounter_auth.sh" script detects this and does not authorise him.
>>
>> So what is the problem? The problem is that "datacounter_auth.sh" is executed *after* the user is authenticated.\
>    Because you configured it to do that.  The server can run scripts before authentication.  See raddb/modules/exec as an example.
>
>> What I would like to do is to prevent a locked user from ever passing the authentication phase, because the system logs that as a valid login. We can't let that happen either because the law stipulates that we keep an accurate log of user logins.
>>
>> So my question is: How can I make authentication fail using an SQL statement *even if* the user provides valid credentials?
>    Check for the locked user in the "authorize" section.  That happens before authentication.

I didn't know that.

Doing this did the trick:

     if ("%{sql: SELECT locked FROM `usage` WHERE user_name =
'%{User-Name}'}" == "1" ) {
         reject
     }

Now there are no "Login OK"s in the log.

Thank you very much.

But I'd still like to know how to make the script run *before*
authentication. I haven't found anything of much help in the exec module.

>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to Reject User During Authentication

Alan DeKok-2
On Aug 11, 2017, at 2:10 PM, Selahattin Cilek <[hidden email]> wrote:
>
> Doing this did the trick:
>
>     if ("%{sql: SELECT locked FROM `usage` WHERE user_name =
> '%{User-Name}'}" == "1" ) {
>         reject
>     }
>
> Now there are no "Login OK"s in the log.

  That's good.

> Thank you very much.
>
> But I'd still like to know how to make the script run *before*
> authentication. I haven't found anything of much help in the exec module.

  Copy the exec file to a file called "datacounter", and then edit it:

exec datacounter {
        wait = yes
        input_pairs = request
        shell_escape = yes
        output = none
        timeout = 10
        program = "/path/to/datacounter.sh"
}

  And then put "datacounter" into the "authorize" section.

  It will run your program, and the request attributes will be in environment variables.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to Reject User During Authentication

Selahattin Cilek


On 11.08.2017 15:37, Alan DeKok wrote:

> On Aug 11, 2017, at 2:10 PM, Selahattin Cilek <[hidden email]> wrote:
>> Doing this did the trick:
>>
>>      if ("%{sql: SELECT locked FROM `usage` WHERE user_name =
>> '%{User-Name}'}" == "1" ) {
>>          reject
>>      }
>>
>> Now there are no "Login OK"s in the log.
>    That's good.
>
>> Thank you very much.
>>
>> But I'd still like to know how to make the script run *before*
>> authentication. I haven't found anything of much help in the exec module.
>    Copy the exec file to a file called "datacounter", and then edit it:
>
> exec datacounter {
> wait = yes
> input_pairs = request
> shell_escape = yes
> output = none
> timeout = 10
> program = "/path/to/datacounter.sh"
> }
>
>    And then put "datacounter" into the "authorize" section.
>
>    It will run your program, and the request attributes will be in environment variables.

OK. Thank you very much.

Cheers.

>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...