On Jun 20, 2017, at 10:30 AM, Wussler, Doug <doug.wussler@fsu.edu> wrote:
First, allow me to preface my inquiry by saying that we have been using FreeRADIUS for at least 5 years now. It does a fantastic job for us and we very much appreciate having access to this excellent application and to this extremely responsive listserv. We are grateful and send our thanks to all contributors.\
Thanks. The responses I usually give are not intended to be annoying, but to be sure I understand what people are asking for. I can't make assumptions about what people are referring to... having debug output is almost alway better.
Now, to my inquiry:
In “radiusd.conf” the “log {}” section defines radius log processing. In particular, “msg_goodpass” and “msg_badpass” allow you to add arbitrary info to your log records through the expansion of custom variables. Our config looks like this:
log { destination = files file = ${logdir}/radius.log auth = yes msg_goodpass = "%{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} %{reply:VLAN}" msg_badpass = "%{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type}" }
Which is all fine...
Here is the relevant debug from a successful PEAP-MSChapV2 authentication. Note that the “Post-Auth” processing takes place BEFORE the log record is expanded and written.
That's what the code does in src/main/auth.c, function rad_postauth(). It calls process_post_auth(), and then logs the message via rad_authlog().
Here is the relevant debug from an unsuccessful auth. Note that the Post-Auth-Type Reject processing takes place AFTER the log record is expanded and written:
(8) Failed to authenticate the user (8) EXPAND %{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} (8) --> wg-wireless.fsu.edu Sha iPhone
Ah, yes.... for Access-Reject, the call to rad_authlog() is done before calling post-auth-type Reject. See rad_authenticate().
Is there some reason why we would want Post-Auth Accept to run BEFORE log processing but Post-Auth-Type Reject to run AFTER log processing? It seems like we would want our Post-Auth processing to occur in the same sequence relative to expanding and writing the log record no matter whether we get an Accept or a Reject.
I agree. I've pushed patches to the v3.0.x branch. Please try them out. Alan DeKok.