Accounting in MySQL - Password
P K
getpkme at gmail.com
Tue Jan 14 16:26:34 CET 2014
Not to worry Alan. Found all the variables in
/usr/share/freeradius/dictionary.freeradius.internal.
%{control:Auth-Type} - returns whatever the auth type was set to in
the end. i.e. ldap in inner tunnel. In outer, sets to EAP.
%{EAP-Type} - returns EAP-TTLS for example
%Virtual-Server} - returns inner-tunnel inside
On 14 January 2014 13:24, P K <getpkme at gmail.com> wrote:
> Thanks Alan. I understand now. I've created my own postauth table and
> updated the sql query. My query is like this:
>
>
> postauth_query = "INSERT INTO newradpostauth \
> (username, usernameouter, usernameinner,
> reply, authdate, calling_station_id, called_station_id, nasipaddress)
> \
> VALUES ( \
> '%{User-Name}', \
> '%{outer.request:User-Name}', \
> '%{User-Name}', \
> '%{reply:Packet-Type}', \
> '%S', \
> '%{Calling-Station-Id}', \
> '%{config:name}', \
> '%{NAS-IP-Address}' \
> )"
>
>
> This works ok with a few niggles.
>
> outer.request:User-Name works when this query is being executed from
> inner-tunnel but not in outer obviously. So I want to put an if
> condition. I'm fine with the syntax but i'm struggling to determine
> what to put a condition on. What variable should I look at to
> determine if I'm in inner or outer tunnel? I was thinking
> virtual-server .. not sure.
>
> Also I want to record protocol TTLS/PAP or PEAP/MSCHAP that has been
> in action. What variable should I use for this?
>
> Is there a variable that would indicate the module that succeeded e.g
> ldap, mysql etc. so that I could record it? Auth-Type??
>
> Thanks.
>
>
> On 13 January 2014 13:25, Alan DeKok <aland at deployingradius.com> wrote:
>> P K wrote:
>>> Thanks Alan & Alan. That change seemed to work. I did some testing
>>> today with the accounting on sql. Please could you explain this so
>>> that I can understand the logging better?
>>
>> It also helps to read the configuration, the debug output, and to
>> understand what you've done.
>>
>>> 15 - PEAP/MSCHAP (Invalid credentials)
>>> 18/19 - TTLS/PAP (Valid Credentials with privacy on)
>>> 20/21 - TTLS/PAP (Valid Credentials with privacy off)
>>> 25 - TTLS/PAP (Invalid credentials with privacy on)
>>> 27 - TTLS/PAP (Invalid credentials with privacy on and
>>> basil at moo.com as anonymous user)
>>> 28/29 - TTLS/PAP (Valid credentials with privacy on and basil at moo.com
>>> as anonymous user and basil as actual user)
>>>
>>> Will "accept" always result in two entries?
>>
>> Yes, because that's what you told it to do. You're using EAP-TTLS,
>> which has the "outer" session, and "inner" one. You've configured the
>> server to log *both* sessions.
>>
>>> Is there anything I can do
>>> to stop clients from using anonymous or changing anonymous id to
>>> anything else like basil at moo.com in the test above?
>>
>> No, because "anonymous" is the identity they're using in the outer
>> session.
>>
>>> Is there anything
>>> I can do to log the actual user that was rejected as in the case of
>>> (25)?
>>
>> Yes, configure "sql" in "Post-Auth-Type Reject" in
>> sites-enabled/inner-tunnel. You may have to run 2.2.3 for this.
>>
>> Again, all of these questions are answered by reading the debug output
>> and the configuration *you* created.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list