EAP post auth reject and access-challenge

Phil Mayers p.mayers at imperial.ac.uk
Mon Jun 10 19:33:30 CEST 2013

On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote:

> I'm also doing some stuff in the authorization section which can reject
> a user based on some ldap information. I thought I could perhaps just
> update the default tunnel post-auth reject section to not do a linelog
> if auth-type has been set to EAP but it doesn't work when clients are
> rejected in this ldap section; the EAP auth-type is set but it never
> authenticates as the reject is triggered first, and so a linelog would
> never be recorded in the inner tunnel post auth reject section. I hope
> that's not too confusing, it's hard to explain.

Sorry, I didn't understand that last part.

There are a bunch of different ways of solving the "logging twice" if 
that's the problem you're trying to solve.

The easiest is to just not care - we have a similar logging system and 
log both the inner and outer rejects. Our log "inspection" script shows 
both, and we just look at the relevant one. Note that EAP sessions can 
fail in ways that never trigger the inner tunnel, but do set 
Module-Failure-Message, so you can't just "not log outer" and hope to 
catch all relevant debugging. You can also have inner accepts with outer 
rejects (e.g. if the client fails mutual auth) so again, logging just 
one will miss info.

Without knowing what you're trying to accomplish and what your criteria 
are, I couldn't comment further - logging is a very individual thing 
that people have different ideas about. But my advice would be to solve 
this by post-processing the data, not by having extensive logic in your 
FR config.

More information about the Freeradius-Users mailing list