Accounting in MySQL - Password

P K getpkme at gmail.com
Tue Jan 14 14:24:04 CET 2014 

Thanks Alan. I understand now.  I've created my own postauth table and
updated the sql query. My query is like this:


        postauth_query = "INSERT INTO newradpostauth \
                          (username, usernameouter, usernameinner,
reply, authdate, calling_station_id, called_station_id, nasipaddress)
\
                          VALUES ( \
                          '%{User-Name}', \
                          '%{outer.request:User-Name}', \
                          '%{User-Name}', \
                          '%{reply:Packet-Type}', \
                          '%S', \
                          '%{Calling-Station-Id}', \
                          '%{config:name}', \
                          '%{NAS-IP-Address}' \
                          )"


This works ok with a few niggles.

outer.request:User-Name works when this query is being executed from
inner-tunnel but not in outer obviously. So I want to put an if
condition. I'm fine with the syntax but i'm struggling to determine
what to put a condition on. What variable should I look at to
determine if I'm in inner or outer tunnel?  I was thinking
virtual-server .. not sure.

Also I want to record protocol TTLS/PAP or PEAP/MSCHAP that has been
in action. What variable should I use for this?

Is there a variable that would indicate the module that succeeded e.g
ldap, mysql etc. so that I could record it? Auth-Type??

Thanks.


On 13 January 2014 13:25, Alan DeKok <aland at deployingradius.com> wrote:
> P K wrote:
>> Thanks Alan & Alan. That change seemed to work. I did some testing
>> today with the accounting on sql. Please could you explain this so
>> that I can understand the logging better?
>
>   It also helps to read the configuration, the debug output, and to
> understand what you've done.
>
>> 15     - PEAP/MSCHAP  (Invalid credentials)
>> 18/19 - TTLS/PAP  (Valid Credentials with privacy on)
>> 20/21 - TTLS/PAP  (Valid Credentials with privacy off)
>> 25     -  TTLS/PAP  (Invalid credentials with privacy on)
>> 27     -  TTLS/PAP  (Invalid credentials with privacy on and
>> basil at moo.com as anonymous user)
>> 28/29 -  TTLS/PAP (Valid credentials with privacy on and basil at moo.com
>> as anonymous user and basil as actual user)
>>
>> Will "accept" always result in two entries?
>
>   Yes, because that's what you told it to do.  You're using EAP-TTLS,
> which has the "outer" session, and "inner" one.  You've configured the
> server to log *both* sessions.
>
>> Is there anything I can do
>> to stop clients from using anonymous or changing anonymous id to
>> anything else like basil at moo.com in the test above?
>
>   No, because "anonymous" is the identity they're using in the outer
> session.
>
>> Is there anything
>> I can do to log the actual user that was rejected as in the case of
>> (25)?
>
>   Yes, configure "sql" in "Post-Auth-Type Reject" in
> sites-enabled/inner-tunnel.  You may have to run 2.2.3 for this.
>
>   Again, all of these questions are answered by reading the debug output
> and the configuration *you* created.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list