Reporting from logs
p.mayers at imperial.ac.uk
Tue Sep 25 19:08:04 CEST 2012
On 25/09/12 17:25, Matthew Newton wrote:
> I've been looking at the code recently to also see if the
> Post-Auth REJECT in inner-tunnel can be fixed. I can see an easy
> and fairly obvious of doing it, but the right way seems to involve
> the core event system, where I don't really want to go. That would
> fix up the one thing that is missing from our logs (outer reject
> doesn't log inner username, so it's hard to find these). I could
> then stop relaying outer auths to the central log entirely, as
> they're generally uninteresting.
[moving to -devel]
Ah I remember this. It's because rad_authenticate calls rad_postauth if
authentication succeeds, but relies on request_finish to call
rad_postauth in the case of failure.
I did think about this myself; one option is to call rad_postauth
manually if rad_authenticate(fake) fails in peap.c - which I guess is
the easy/obvious solution you're referring to? Certainly preferable to
the current situation IMO.
The "Post-Auth-Type REJECT" stuff did originally live in
rad_authenticate - it was removed in commit 47a090897a. Not sure what
the rationale was - something to do with reject_delay? - so I was
unwilling to fiddle. Alan, can you comment?
More information about the Freeradius-Devel