Question on logging EAP/PEAP authentication rejections

Josh Hiner josh at remc1.org
Tue Mar 20 17:18:41 CET 2012 

Well I eventually found and switched to using linelog to log access rejects
since I can define my own variables that are logged. Oddly enough
freeradius was showing a packet-type of Access-Request for eap
authentication failures. Since I was calling linelog only from the
post_auth_reject spot I just changed the Access-Request= definition to:
Access-Request = "Rejected access: %{User-Name} SSID: %{NAS-Port-Id}"
and the filename= line to be: ${logdir}/authrejectlog-%Y%m%d.log
(yep I could make a subsection to linelog with those changes but chose not
to).

So I am now logging username rejects as well as the SSID they are trying to
connect to. Im not sure why people kept telling me to read the spot above
the Post-Auth-Type Reject section. Here is a paste of the text above that
section.

#  Access-Reject packets are sent through the REJECT sub-section of the
        #  post-auth section.
     #
        #  Add the ldap module name (or instance) if you have set
     #  'edir_account_policy_check = yes' in the ldap module configuration
        #

This section was of no help to why usernames were not getting logged in the
detail logs for rejections. From my emails I believe I conveyed that I was
reading documentation and doing the best I could on my own without being a
mooch. The only reason I can think of such short and erroneous replies is
that some people helping on the list are generally annoyed by any
questions. That is too bad. A quick reply of "use linelog" would have been
helpful. Why not help people?

-Josh

On Mon, Mar 19, 2012 at 9:15 PM, Josh Hiner <josh at remc1.org> wrote:

> Alan. Thanks for the reply. One of my previous emails I did put
> reply_log in the post auth reject spot. Im also copying the user from
> the inner tunnel to the outer tunnel. I am getting reject logs but
> without the username. I swear I have read the section above the post
> auth reject spot in my default file under sites enabled and I do have
> stuff in that section as it clues me to. I must be missing something
> though obviously.
>
> Thanks -josh
>
> Sent from my iPhone
>
> On Mar 19, 2012, at 6:32 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk> wrote:
>
> > Hi,
> >
> >>   Ok I went back, looked at the config, and used some common sense to
> figure
> >>   part of it out. I have it now logging replys for rejects using the
> >
> >
> > ...to remind you what Alan said:
> >
> >>     �Read raddb/sites-available/default. �Look for Post-Auth-Type
> Reject.
> >>
> >>     �This is documented.
> >
> >
> > in post-auth section
> >
> >
> >    Post-Auth-Type REJECT {
> >        attr_filter.access_reject
> >    }
> >
> > put things in that bit
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120320/20ec84b7/attachment.html>

More information about the Freeradius-Users mailing list