Do-Over: Post-Auth-Type Accept vs Post-Auth-Type Reject 3.0.14

Matthew Newton matthew at
Tue Jun 20 17:14:12 CEST 2017

On Tue, Jun 20, 2017 at 02:30:06PM +0000, Wussler, Doug wrote:
> In “radiusd.conf” the “log {}” section defines radius log
> processing.  In particular, “msg_goodpass” and “msg_badpass”
> allow you to add arbitrary info to your log records through the
> expansion of custom variables.  Our config looks like this:
> log {
>         destination = files
>         file = ${logdir}/radius.log
>         auth = yes
>         msg_goodpass = "%{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} %{reply:VLAN}"
>         msg_badpass  = "%{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type}"
> }

Not directly answering your question, but I would forget about
using the log{} section to do this, and configure and use the
linelog module instead. That's the recommended way of doing this.

> Is there some reason why we would want Post-Auth Accept to run
> BEFORE log processing but Post-Auth-Type Reject to run AFTER
> log processing?  It seems like we would want our Post-Auth
> processing to occur in the same sequence relative to expanding
> and writing the log record no matter whether we get an Accept
> or a Reject.

Put linelog in the post-auth sections wherever you want it, and
the sequence will be fixed.


More information about the Freeradius-Users mailing list