Mac Auth and post-auth logging to SQL

Jason Antman jantman at oit.rutgers.edu
Tue Mar 29 15:21:20 CEST 2011


Ok. I was just assuming that the FreeRadius Wiki was an authoritative 
source, and if it's written there, there must be something I just wasn't 
understanding that required it to be that way. When I get something 
working correctly, shall I register for an account and update your wiki 
page accordingly (once MySQL is working again)?

-Jason

Alan DeKok wrote:
> Jason Antman wrote:
>   
>> And in post-auth{}:
>> ### snip ###
>> if(control:Auth-Type == 'CSID'){
>>     # Authorization happens here
>>     authorized_macs.authorize
>>     if(!ok){
>>         reject
>>     
>
>   Uh... why?  If the user is authenticated, you shouldn't be rejecting him.
>
>   
>> If I put a "sql" line before this, it always logs with Access-Accept,
>> since that's what authenticate{} ALWAYS returns, and the sql module is
>> being called before . If I put a "sql" line after this, it never gets
>> executed for "reject" statements...
>>     
>
>   Because you're doing it wrong.  The whole point of accepting the user
> is that you *don't* reject them.
>
>   Change your rules to reject the user *before* they're accepted.  The
> logging will then behave as you expect.  It doesn't behave as you expect
> now, because you're rejecting them after you've accepted them.  That
> makes no sense.
>
>   
>> Why is the authorize statement in the post-auth { } section? That seems
>> to be the cause of these problems...
>>     
>
>   So move it.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110329/7843e589/attachment.html>


More information about the Freeradius-Users mailing list