Rule for don't log specific user session.
Phil Mayers
p.mayers at imperial.ac.uk
Wed Mar 12 11:24:07 CET 2008
Ben Wiechman wrote:
> With this it wouldn't be that hard to separate the information for a
> specific subscriber or group into a separate log file would it.
Correct.
>
> Assuming that the two log options are appropriately configured:
>
> Fr 2.x
> if( User-Name != "test-user" {
> # will (Group-Name != 'test-group" ) { work?
> User_log
> }
> else {
> Test_log
> }
>
> Or FR 1.x
>
> preacct {
> files
> }
> accounting {
> Acct-Type SQL-LOG {
> User_log
> }
> Acct-Type TEST-LOG {
> Test_log
> }
> }
>
> ...then in "acct_users":
>
> Test-user Acct-Type := TEST-LOG
> Fall-Through = No
>
> DEFAULT Acct-Type := SQL-LOG
>
> Is there an equivalent way to do this using sql? Ie radreply/radgroupreply?
radcheck/radreply and co. are only processed for authentication
requests, so not directly, but you can work around that.
The most straightforward way is to add the Class attribute to the
authentication reply (e.g. from radreply or radgroupreply). RFC
compliant NASes will then send the Class attribute in the corresponding
accounting requests[1], then you can match it in preacct i.e. in acct_users:
DEFAULT Class == "testlog", Acct-Type := TEST-SQL
DEFAULT Acct-Type := SQL-LOG
[1] HOWEVER - be aware that certain crappy NASes do not obey the RFCs,
and do not send the Class attribute back. You'll need to test and see if
this works on your equipment (and file a bug if it doesn't!)
> Also, will this take care of both accounting log info and authentication log
> info?
No. See doc/Post-Auth-Type and the post-auth section.
More information about the Freeradius-Users
mailing list