Mac Auth and post-auth logging to SQL

Jason Antman jantman at
Tue Mar 29 15:21:20 CEST 2011

Ok. I was just assuming that the FreeRadius Wiki was an authoritative 
source, and if it's written there, there must be something I just wasn't 
understanding that required it to be that way. When I get something 
working correctly, shall I register for an account and update your wiki 
page accordingly (once MySQL is working again)?


Alan DeKok wrote:
> Jason Antman wrote:
>> And in post-auth{}:
>> ### snip ###
>> if(control:Auth-Type == 'CSID'){
>>     # Authorization happens here
>>     authorized_macs.authorize
>>     if(!ok){
>>         reject
>   Uh... why?  If the user is authenticated, you shouldn't be rejecting him.
>> If I put a "sql" line before this, it always logs with Access-Accept,
>> since that's what authenticate{} ALWAYS returns, and the sql module is
>> being called before . If I put a "sql" line after this, it never gets
>> executed for "reject" statements...
>   Because you're doing it wrong.  The whole point of accepting the user
> is that you *don't* reject them.
>   Change your rules to reject the user *before* they're accepted.  The
> logging will then behave as you expect.  It doesn't behave as you expect
> now, because you're rejecting them after you've accepted them.  That
> makes no sense.
>> Why is the authorize statement in the post-auth { } section? That seems
>> to be the cause of these problems...
>   So move it.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list