Logging Authentication Rejects

Alan DeKok aland at deployingradius.com
Thu Jan 20 12:40:08 CET 2011

Kristoffer Milligan wrote:
> This data is good to give me an idea of how many access rejects I am
> getting, but I have no clue from what usernames they are coming, nor WHY
> they were rejected. I know that the username in the inner tunnel is
> plaintext as well, meaning it looks like i.e kristoffer at WiMAX.com.

  See Module-Failure-Message.  You should be able to log that, too.

> My question is;
> What should my SQL look like if I want to log the following data:
> Incremental id,  'Attempted/Cleartext Username', 'Attempted/Cleartext
> password', 'Access-Reject - {Rejection-Reason}', DATETIME ?

  You need to update the "inner-tunnel" virtual server to copy that data
to the outer tunnel session.  Then... log it.

  Alan DeKok.

More information about the Freeradius-Users mailing list