Mac Auth and post-auth logging to SQL
Jason Antman
jantman at oit.rutgers.edu
Tue Mar 29 15:21:20 CEST 2011
Ok. I was just assuming that the FreeRadius Wiki was an authoritative
source, and if it's written there, there must be something I just wasn't
understanding that required it to be that way. When I get something
working correctly, shall I register for an account and update your wiki
page accordingly (once MySQL is working again)?
-Jason
Alan DeKok wrote:
> Jason Antman wrote:
>
>> And in post-auth{}:
>> ### snip ###
>> if(control:Auth-Type == 'CSID'){
>> # Authorization happens here
>> authorized_macs.authorize
>> if(!ok){
>> reject
>>
>
> Uh... why? If the user is authenticated, you shouldn't be rejecting him.
>
>
>> If I put a "sql" line before this, it always logs with Access-Accept,
>> since that's what authenticate{} ALWAYS returns, and the sql module is
>> being called before . If I put a "sql" line after this, it never gets
>> executed for "reject" statements...
>>
>
> Because you're doing it wrong. The whole point of accepting the user
> is that you *don't* reject them.
>
> Change your rules to reject the user *before* they're accepted. The
> logging will then behave as you expect. It doesn't behave as you expect
> now, because you're rejecting them after you've accepted them. That
> makes no sense.
>
>
>> Why is the authorize statement in the post-auth { } section? That seems
>> to be the cause of these problems...
>>
>
> So move it.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110329/7843e589/attachment.html>
More information about the Freeradius-Users
mailing list