Mac Auth and post-auth logging to SQL

Alan DeKok aland at
Sun Mar 27 20:44:56 CEST 2011

Jason Antman wrote:
> And in post-auth{}:
> ### snip ###
> if(control:Auth-Type == 'CSID'){
>     # Authorization happens here
>     authorized_macs.authorize
>     if(!ok){
>         reject

  Uh... why?  If the user is authenticated, you shouldn't be rejecting him.

> If I put a "sql" line before this, it always logs with Access-Accept,
> since that's what authenticate{} ALWAYS returns, and the sql module is
> being called before . If I put a "sql" line after this, it never gets
> executed for "reject" statements...

  Because you're doing it wrong.  The whole point of accepting the user
is that you *don't* reject them.

  Change your rules to reject the user *before* they're accepted.  The
logging will then behave as you expect.  It doesn't behave as you expect
now, because you're rejecting them after you've accepted them.  That
makes no sense.

> Why is the authorize statement in the post-auth { } section? That seems
> to be the cause of these problems...

  So move it.

  Alan DeKok.

More information about the Freeradius-Users mailing list