EAP post auth reject and access-challenge
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jun 10 19:33:30 CEST 2013
On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote:
> I'm also doing some stuff in the authorization section which can reject
> a user based on some ldap information. I thought I could perhaps just
> update the default tunnel post-auth reject section to not do a linelog
> if auth-type has been set to EAP but it doesn't work when clients are
> rejected in this ldap section; the EAP auth-type is set but it never
> authenticates as the reject is triggered first, and so a linelog would
> never be recorded in the inner tunnel post auth reject section. I hope
> that's not too confusing, it's hard to explain.
Sorry, I didn't understand that last part.
There are a bunch of different ways of solving the "logging twice" if
that's the problem you're trying to solve.
The easiest is to just not care - we have a similar logging system and
log both the inner and outer rejects. Our log "inspection" script shows
both, and we just look at the relevant one. Note that EAP sessions can
fail in ways that never trigger the inner tunnel, but do set
Module-Failure-Message, so you can't just "not log outer" and hope to
catch all relevant debugging. You can also have inner accepts with outer
rejects (e.g. if the client fails mutual auth) so again, logging just
one will miss info.
Without knowing what you're trying to accomplish and what your criteria
are, I couldn't comment further - logging is a very individual thing
that people have different ideas about. But my advice would be to solve
this by post-processing the data, not by having extensive logic in your
FR config.
More information about the Freeradius-Users
mailing list