Logging Authentication Rejects

Kristoffer Milligan kristoffer at nextnet.no
Thu Jan 20 11:17:21 CET 2011

radiusd: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on 
Apr 30 2010 at 09:48:09

root at hostname:~# lsb_release -a
Distributor ID:    Ubuntu
Description:    Ubuntu 9.10
Release:    9.10
Codename:    karmic

Good day list,

I am trying to set up some logging on my radius server. The server is 
responsible for a WiMAX network running on equipment from Alvarion. 
After a troublesome start, things are starting to straighten out.

I've now reached the point where I want to apply some additional logging 
to start ironing out minor bugs. Running FR in debug mode, I see the 
occasional access-reject (mostly caused by wrongly configured 
username/passwords), and I would like to log these to my database.

In my default tunnel, I have added sql_log module to the post-auth 
section, subsection Post-Auth-Type REJECT. The default SQL looks like this:
#       Post-Auth = "INSERT INTO ${postauth_table}                   \
#        (username, pass, reply, authdate) VALUES                    \
#        ('%{User-Name}', '%{User-Password:-Chap-Password}',         \
#        '%{reply:Packet-Type}', '%S');

which would provide a line of log (in my case) looking something like this:
Incremental Id, =F8=F334534534645645645687 at WiMAX.com, '', 
'Access-Reject', DATETIME.
(The username is jus something I typed out, but that's what they look like).

This data is good to give me an idea of how many access rejects I am 
getting, but I have no clue from what usernames they are coming, nor WHY 
they were rejected. I know that the username in the inner tunnel is 
plaintext as well, meaning it looks like i.e kristoffer at WiMAX.com.

My question is;
What should my SQL look like if I want to log the following data:

Incremental id,  'Attempted/Cleartext Username', 'Attempted/Cleartext 
password', 'Access-Reject - {Rejection-Reason}', DATETIME ?

Looking forwards to your replies..

Kristoffer Milligan

More information about the Freeradius-Users mailing list