Reporting from logs

Matthew Newton mcn4 at leicester.ac.uk
Tue Sep 25 18:25:07 CEST 2012


On Tue, Sep 25, 2012 at 04:28:56PM +0100, Phil Mayers wrote:
> On 25/09/12 15:34, Matthew Newton wrote:
> >linelog can include '\n' in the output so can simlulate the detail
> >module for given attributes. The relayed auth packets are sent on
> >the wire as acct packets...
> 
> You, sir, win a prize! That's simultaneously clever and vile. I'm
> disappointed I didn't think of it!

Why, thank you. A colleague just read that post and said that he
hoped that he would never have to work with someone who would come
up with something like that. :)


> We started with rlm_sql_log back in the 1.1.x days. We needed to
> replicate post-auth as well as accounting packets, because some of
> our NASes [some switches doing mac-auth] don't generate accounting -
> just re-auth ever half hour. We simulate an accounting
> update-or-insert on the central SQL server using a trigger for these
> devices.

Which, of course, is the same as eduroam. We don't see acct from
all sites by any means (some even send acct packets without an
Acct-Status-Type attribute...)


> I almost wonder if an "rlm_inject" might not be generally useful; in
> particular, we could generate our simulated accounting internally to
> the radius servers, rather than via an SQL procedure:
...
> Doesn't look hard; maybe I'll take a look at it.

Agreed, that looks quite straightforward. I like it. Should make
for a much tidier config than using linelog.

I think it would also benefit from a copy_all_attrs option - it's
one thing I miss from linelog (whereas detail logs everything,
it's hard for linelog to do the same). But also with attrs={} to
add or remove others.

I've been looking at the code recently to also see if the
Post-Auth REJECT in inner-tunnel can be fixed. I can see an easy
and fairly obvious of doing it, but the right way seems to involve
the core event system, where I don't really want to go. That would
fix up the one thing that is missing from our logs (outer reject
doesn't log inner username, so it's hard to find these). I could
then stop relaying outer auths to the central log entirely, as
they're generally uninteresting.

Cheers,

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list