Accounting in MySQL - Password

P K getpkme at gmail.com
Tue Jan 14 16:26:34 CET 2014


Not to worry Alan. Found all the variables in
/usr/share/freeradius/dictionary.freeradius.internal.

%{control:Auth-Type}   - returns whatever the auth type was set to in
the end. i.e. ldap in inner tunnel. In outer, sets to EAP.

%{EAP-Type}   - returns EAP-TTLS for example

%Virtual-Server}  - returns inner-tunnel inside

On 14 January 2014 13:24, P K <getpkme at gmail.com> wrote:
> Thanks Alan. I understand now.  I've created my own postauth table and
> updated the sql query. My query is like this:
>
>
>         postauth_query = "INSERT INTO newradpostauth \
>                           (username, usernameouter, usernameinner,
> reply, authdate, calling_station_id, called_station_id, nasipaddress)
> \
>                           VALUES ( \
>                           '%{User-Name}', \
>                           '%{outer.request:User-Name}', \
>                           '%{User-Name}', \
>                           '%{reply:Packet-Type}', \
>                           '%S', \
>                           '%{Calling-Station-Id}', \
>                           '%{config:name}', \
>                           '%{NAS-IP-Address}' \
>                           )"
>
>
> This works ok with a few niggles.
>
> outer.request:User-Name works when this query is being executed from
> inner-tunnel but not in outer obviously. So I want to put an if
> condition. I'm fine with the syntax but i'm struggling to determine
> what to put a condition on. What variable should I look at to
> determine if I'm in inner or outer tunnel?  I was thinking
> virtual-server .. not sure.
>
> Also I want to record protocol TTLS/PAP or PEAP/MSCHAP that has been
> in action. What variable should I use for this?
>
> Is there a variable that would indicate the module that succeeded e.g
> ldap, mysql etc. so that I could record it? Auth-Type??
>
> Thanks.
>
>
> On 13 January 2014 13:25, Alan DeKok <aland at deployingradius.com> wrote:
>> P K wrote:
>>> Thanks Alan & Alan. That change seemed to work. I did some testing
>>> today with the accounting on sql. Please could you explain this so
>>> that I can understand the logging better?
>>
>>   It also helps to read the configuration, the debug output, and to
>> understand what you've done.
>>
>>> 15     - PEAP/MSCHAP  (Invalid credentials)
>>> 18/19 - TTLS/PAP  (Valid Credentials with privacy on)
>>> 20/21 - TTLS/PAP  (Valid Credentials with privacy off)
>>> 25     -  TTLS/PAP  (Invalid credentials with privacy on)
>>> 27     -  TTLS/PAP  (Invalid credentials with privacy on and
>>> basil at moo.com as anonymous user)
>>> 28/29 -  TTLS/PAP (Valid credentials with privacy on and basil at moo.com
>>> as anonymous user and basil as actual user)
>>>
>>> Will "accept" always result in two entries?
>>
>>   Yes, because that's what you told it to do.  You're using EAP-TTLS,
>> which has the "outer" session, and "inner" one.  You've configured the
>> server to log *both* sessions.
>>
>>> Is there anything I can do
>>> to stop clients from using anonymous or changing anonymous id to
>>> anything else like basil at moo.com in the test above?
>>
>>   No, because "anonymous" is the identity they're using in the outer
>> session.
>>
>>> Is there anything
>>> I can do to log the actual user that was rejected as in the case of
>>> (25)?
>>
>>   Yes, configure "sql" in "Post-Auth-Type Reject" in
>> sites-enabled/inner-tunnel.  You may have to run 2.2.3 for this.
>>
>>   Again, all of these questions are answered by reading the debug output
>> and the configuration *you* created.
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list