On 25/09/12 17:25, Matthew Newton wrote:
I've been looking at the code recently to also see if the Post-Auth REJECT in inner-tunnel can be fixed. I can see an easy and fairly obvious of doing it, but the right way seems to involve the core event system, where I don't really want to go. That would fix up the one thing that is missing from our logs (outer reject doesn't log inner username, so it's hard to find these). I could then stop relaying outer auths to the central log entirely, as they're generally uninteresting.
[moving to -devel] Ah I remember this. It's because rad_authenticate calls rad_postauth if authentication succeeds, but relies on request_finish to call rad_postauth in the case of failure. I did think about this myself; one option is to call rad_postauth manually if rad_authenticate(fake) fails in peap.c - which I guess is the easy/obvious solution you're referring to? Certainly preferable to the current situation IMO. The "Post-Auth-Type REJECT" stuff did originally live in rad_authenticate - it was removed in commit 47a090897a. Not sure what the rationale was - something to do with reject_delay? - so I was unwilling to fiddle. Alan, can you comment?