Thanks Alan. I understand now. I've created my own postauth table and updated the sql query. My query is like this: postauth_query = "INSERT INTO newradpostauth \ (username, usernameouter, usernameinner, reply, authdate, calling_station_id, called_station_id, nasipaddress) \ VALUES ( \ '%{User-Name}', \ '%{outer.request:User-Name}', \ '%{User-Name}', \ '%{reply:Packet-Type}', \ '%S', \ '%{Calling-Station-Id}', \ '%{config:name}', \ '%{NAS-IP-Address}' \ )" This works ok with a few niggles. outer.request:User-Name works when this query is being executed from inner-tunnel but not in outer obviously. So I want to put an if condition. I'm fine with the syntax but i'm struggling to determine what to put a condition on. What variable should I look at to determine if I'm in inner or outer tunnel? I was thinking virtual-server .. not sure. Also I want to record protocol TTLS/PAP or PEAP/MSCHAP that has been in action. What variable should I use for this? Is there a variable that would indicate the module that succeeded e.g ldap, mysql etc. so that I could record it? Auth-Type?? Thanks. On 13 January 2014 13:25, Alan DeKok <aland@deployingradius.com> wrote:
P K wrote:
Thanks Alan & Alan. That change seemed to work. I did some testing today with the accounting on sql. Please could you explain this so that I can understand the logging better?
It also helps to read the configuration, the debug output, and to understand what you've done.
15 - PEAP/MSCHAP (Invalid credentials) 18/19 - TTLS/PAP (Valid Credentials with privacy on) 20/21 - TTLS/PAP (Valid Credentials with privacy off) 25 - TTLS/PAP (Invalid credentials with privacy on) 27 - TTLS/PAP (Invalid credentials with privacy on and basil@moo.com as anonymous user) 28/29 - TTLS/PAP (Valid credentials with privacy on and basil@moo.com as anonymous user and basil as actual user)
Will "accept" always result in two entries?
Yes, because that's what you told it to do. You're using EAP-TTLS, which has the "outer" session, and "inner" one. You've configured the server to log *both* sessions.
Is there anything I can do to stop clients from using anonymous or changing anonymous id to anything else like basil@moo.com in the test above?
No, because "anonymous" is the identity they're using in the outer session.
Is there anything I can do to log the actual user that was rejected as in the case of (25)?
Yes, configure "sql" in "Post-Auth-Type Reject" in sites-enabled/inner-tunnel. You may have to run 2.2.3 for this.
Again, all of these questions are answered by reading the debug output and the configuration *you* created.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html