Mac Auth and post-auth logging to SQL

Jason Antman jantman at oit.rutgers.edu
Fri Mar 25 20:39:28 CET 2011 

I'm referencing the Mac-Auth wiki page at: 
http://wiki.freeradius.org/Mac-Auth

Alan DeKok wrote:
> Jason Antman wrote:
>   
>> I'm running FreeRADIUS 2.1.7 on CentOS 5, and trying to configure MAC
>> Auth Bypass. I got everything functioning correctly using the Mac-Auth
>> Wiki page as a guide, including placement of the actual CSID
>> authentication code in the post-auth section. However, I just enabled
>> SQL in the post-auth section, and everything is getting logged to SQL
>> with reply Access-Accept, even if it matched the "reject" statement.
>>     
>
>   I don't see how that is possible.  Are you sure you know what it's
> doing?  Have you run the server in debugging mode?
>   
Yes, I have, and am.

As per the wiki page... I have in authenticate {}:
### snip ###
Auth-Type CSID {
    if(Chap-Password){
        update control {
            Cleartext-Password := "%{User-Name}"
        }
        chap
    }
    else{
        ok 
    } 
}
### end snip###

which ALWAYS returns OK. Period.

And in post-auth{}:
### snip ###
if(control:Auth-Type == 'CSID'){
    # Authorization happens here
    authorized_macs.authorize
    if(!ok){
        reject
    }
}
### end snip ###
If I put a "sql" line before this, it always logs with Access-Accept, 
since that's what authenticate{} ALWAYS returns, and the sql module is 
being called before . If I put a "sql" line after this, it never gets 
executed for "reject" statements...
>   
>> It seems to me that it's pretty logical that post-auth would be entered
>> with Auth-Type == Access-Accept, the SQL log would happen, and *then*
>> the "reject" statement would get executed
>>     
>
>   That makes no sense.  "If it's accept, it runs reject" ?
>   
See above.
>   
>> . What I don't understand is
>> why I shouldn't move the actual authentication
>> (authorized_macs.authorize) to the auth { } section, or else how I go
>> about logging rejected requests.
>>     
>
>   I have no idea what that means.
>   
Why is the authorize statement in the post-auth { } section? That seems 
to be the cause of these problems...
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110325/70dd415b/attachment.html>

More information about the Freeradius-Users mailing list