Mac Auth and post-auth logging to SQL
Alan DeKok
aland at deployingradius.com
Sun Mar 27 20:44:56 CEST 2011
Jason Antman wrote:
> And in post-auth{}:
> ### snip ###
> if(control:Auth-Type == 'CSID'){
> # Authorization happens here
> authorized_macs.authorize
> if(!ok){
> reject
Uh... why? If the user is authenticated, you shouldn't be rejecting him.
> If I put a "sql" line before this, it always logs with Access-Accept,
> since that's what authenticate{} ALWAYS returns, and the sql module is
> being called before . If I put a "sql" line after this, it never gets
> executed for "reject" statements...
Because you're doing it wrong. The whole point of accepting the user
is that you *don't* reject them.
Change your rules to reject the user *before* they're accepted. The
logging will then behave as you expect. It doesn't behave as you expect
now, because you're rejecting them after you've accepted them. That
makes no sense.
> Why is the authorize statement in the post-auth { } section? That seems
> to be the cause of these problems...
So move it.
Alan DeKok.
More information about the Freeradius-Users
mailing list