Accounting in MySQL - Password
Alan DeKok
aland at deployingradius.com
Mon Jan 13 14:25:59 CET 2014
P K wrote:
> Thanks Alan & Alan. That change seemed to work. I did some testing
> today with the accounting on sql. Please could you explain this so
> that I can understand the logging better?
It also helps to read the configuration, the debug output, and to
understand what you've done.
> 15 - PEAP/MSCHAP (Invalid credentials)
> 18/19 - TTLS/PAP (Valid Credentials with privacy on)
> 20/21 - TTLS/PAP (Valid Credentials with privacy off)
> 25 - TTLS/PAP (Invalid credentials with privacy on)
> 27 - TTLS/PAP (Invalid credentials with privacy on and
> basil at moo.com as anonymous user)
> 28/29 - TTLS/PAP (Valid credentials with privacy on and basil at moo.com
> as anonymous user and basil as actual user)
>
> Will "accept" always result in two entries?
Yes, because that's what you told it to do. You're using EAP-TTLS,
which has the "outer" session, and "inner" one. You've configured the
server to log *both* sessions.
> Is there anything I can do
> to stop clients from using anonymous or changing anonymous id to
> anything else like basil at moo.com in the test above?
No, because "anonymous" is the identity they're using in the outer
session.
> Is there anything
> I can do to log the actual user that was rejected as in the case of
> (25)?
Yes, configure "sql" in "Post-Auth-Type Reject" in
sites-enabled/inner-tunnel. You may have to run 2.2.3 for this.
Again, all of these questions are answered by reading the debug output
and the configuration *you* created.
Alan DeKok.
More information about the Freeradius-Users
mailing list