post-auth { # rejected requests Post-Auth-Type REJECT { log_reject }
# accepted requests log_accept }
But unfortunately, post-auth seems to be entered twice, and the log looks like this:
2008-05-21 15:18:51 REJECT radius.test 2008-05-21 15:19:44 ACCEPT radius.test 2008-05-21 15:19:44 ACCEPT radius.test
This is happening because the post-auth section is matched twice; once for the "inner" EAP tunnelled request, and once for the final outer EAP.
The freeradius version used is the current Debian stable package, 1.1.3-3, extended by self-compiled EAP modules compiled from source.
Upgrade to 2.0.4 and use the virtual server function; put your logging section in the post-auth section of the inner tunnel only