Question on logging EAP/PEAP authentication rejections

Alan DeKok aland at deployingradius.com
Wed Mar 21 02:47:05 CET 2012 

Josh Hiner wrote:
> ...to remind you what Alan said:
> 
>>      �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
>>
>>      �This is documented.
>  
> in post-auth section
> 
> 
>        Post-Auth-Type REJECT {
>                attr_filter.access_reject
>        }

  *This* is the cause of contention on the list.  You've ignored the
comment just above that... which documents how the Post-Auth-Type Reject
section works.

> What advice didnt I follow? Thats all the advice I was given.

  The advice assumes that you have an open mind.

> Put stuff
> in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log
> (which didnt log username)

  It logs the replies.  It will log User-Name if it's in the reply.

> so after much trial I modified linelog. I
> couldnt find documentation even with searching online about what to put
> in there. I pretty much guessed in the end.

  It's a section, just like any other section.  This is documented in
"man unlang".  You put modules or "unlang" rules there.  This is
documented in "man unlang".

> If there is documentation on
> Post-Auth-Type REJECT { that is more than a paragraph please point me to
> it I'd be very interested in it. I cant follow advice thats not given to
> me or to read documentation that seems to be impossible to find? Im just
> confused on the replys I received. Oh well.

  The documentation assumes some amount of independent thought.

  It doesn't describe all possible configurations.  It can't.  Instead,
it describes how the systems works.  It describes how how *you* can use
the tools at your disposal to solve any problem.

  *This* is the cause of most of the contention on this list.  Some
people want to be spoon-fed every possible piece of information.  They
get testy when that doesn't happen.

  I get frustrated when people don't bother reading the documentation I
wrote.  I give direct opinions when they express how bad the
documentation is... that they haven't read.

  Alan DeKok.

More information about the Freeradius-Users mailing list