Jason Antman wrote:
And in post-auth{}: ### snip ### if(control:Auth-Type == 'CSID'){ # Authorization happens here authorized_macs.authorize if(!ok){ reject
Uh... why? If the user is authenticated, you shouldn't be rejecting him.
If I put a "sql" line before this, it always logs with Access-Accept, since that's what authenticate{} ALWAYS returns, and the sql module is being called before . If I put a "sql" line after this, it never gets executed for "reject" statements...
Because you're doing it wrong. The whole point of accepting the user is that you *don't* reject them. Change your rules to reject the user *before* they're accepted. The logging will then behave as you expect. It doesn't behave as you expect now, because you're rejecting them after you've accepted them. That makes no sense.
Why is the authorize statement in the post-auth { } section? That seems to be the cause of these problems...
So move it. Alan DeKok.