Reporting from logs

Phil Mayers p.mayers at imperial.ac.uk
Tue Sep 25 19:08:04 CEST 2012


On 25/09/12 17:25, Matthew Newton wrote:

> I've been looking at the code recently to also see if the
> Post-Auth REJECT in inner-tunnel can be fixed. I can see an easy
> and fairly obvious of doing it, but the right way seems to involve
> the core event system, where I don't really want to go. That would
> fix up the one thing that is missing from our logs (outer reject
> doesn't log inner username, so it's hard to find these). I could
> then stop relaying outer auths to the central log entirely, as
> they're generally uninteresting.

[moving to -devel]

Ah I remember this. It's because rad_authenticate calls rad_postauth if 
authentication succeeds, but relies on request_finish to call 
rad_postauth in the case of failure.

I did think about this myself; one option is to call rad_postauth 
manually if rad_authenticate(fake) fails in peap.c - which I guess is 
the easy/obvious solution you're referring to? Certainly preferable to 
the current situation IMO.

The "Post-Auth-Type REJECT" stuff did originally live in 
rad_authenticate - it was removed in commit 47a090897a. Not sure what 
the rationale was - something to do with reject_delay? - so I was 
unwilling to fiddle. Alan, can you comment?


More information about the Freeradius-Devel mailing list