P K wrote:
Thanks Alan & Alan. That change seemed to work. I did some testing today with the accounting on sql. Please could you explain this so that I can understand the logging better?
It also helps to read the configuration, the debug output, and to understand what you've done.
15 - PEAP/MSCHAP (Invalid credentials) 18/19 - TTLS/PAP (Valid Credentials with privacy on) 20/21 - TTLS/PAP (Valid Credentials with privacy off) 25 - TTLS/PAP (Invalid credentials with privacy on) 27 - TTLS/PAP (Invalid credentials with privacy on and basil@moo.com as anonymous user) 28/29 - TTLS/PAP (Valid credentials with privacy on and basil@moo.com as anonymous user and basil as actual user)
Will "accept" always result in two entries?
Yes, because that's what you told it to do. You're using EAP-TTLS, which has the "outer" session, and "inner" one. You've configured the server to log *both* sessions.
Is there anything I can do to stop clients from using anonymous or changing anonymous id to anything else like basil@moo.com in the test above?
No, because "anonymous" is the identity they're using in the outer session.
Is there anything I can do to log the actual user that was rejected as in the case of (25)?
Yes, configure "sql" in "Post-Auth-Type Reject" in sites-enabled/inner-tunnel. You may have to run 2.2.3 for this. Again, all of these questions are answered by reading the debug output and the configuration *you* created. Alan DeKok.