Logging problem

Norbert Wegener norbert.wegener at siemens.com
Fri Sep 12 10:21:00 CEST 2008 

Hello Alan,
I want logging information, if a client shows up with  an expired 
certificate.
Therefor in authorize I have:

...

eap
      if ( invalid ) {
               update reply {
                 Tmp-String-5="INVALID Certificate"
                  }
                }


....

in post-auth :
..
        Post-Auth-Type REJECT {
                sql_log
        }

and in  modules/sql_log:

 Post-Auth = "INSERT INTO ${postauth_table}                   \
        (username, pass, reply, authdate, nasname, 
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) 
VALUES                                 \
        ('%{User-Name}', '%{User-Password}',         \
        '%{reply:Packet-Type}', '%S', 
'%{NAS-Identifier}','%{Client-IP-Address}','${RADIP}',\
        
'%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}');"

When a client shows up with an expired certificate I would expect to see 
the message "INVALID Certificate".

.....
Here is what I get with 2.1.0:
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired
TLS Alert write:fatal:certificate expired
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server cisco
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[sql_log] Processing sql_log_postauth
        expand: %{User-Name} -> HOST/osd02red.ww901.mycompany.net
        expand: %{%{User-Name}:-DEFAULT} -> 
HOST/osd02red.ww901.mycompany.net
[sql_log] sql_set_user escaped user --> 'HOST/osd02red.ww901.mycompany.net'
        expand: INSERT INTO radpostauth                         
(username, pass, reply, authdate, nasname, 
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) 
VALUES                                  ('%{User-Name}', 
'%{User-Password}',            '%{reply:Packet-Type}', '%S', 
'%{NAS-Identifier}','%{Client-IP-Address}','1.2.3.4',     
'%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}'); 
-> INSERT INTO radpostauth                         (username, pass, 
reply, authdate, nasname, 
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) 
VALUES                                  
('HOST/osd02red.ww901.mycompany.net', '',               'Access-Reject', 
'2008-09-12 09:58:09', '','123.246.185.169','1.2.3.4', 
'','','','00-00-00-00-00-02');

It seems, "if (invalid) " is not entered and I don't see why.

Norbert Wegener

More information about the Freeradius-Users mailing list