Do-Over: Post-Auth-Type Accept vs Post-Auth-Type Reject 3.0.14

Alan DeKok aland at deployingradius.com
Tue Jun 20 22:28:05 CEST 2017 

On Jun 20, 2017, at 10:30 AM, Wussler, Doug <doug.wussler at fsu.edu> wrote:
> 
> First, allow me to preface my inquiry by saying that we have been using FreeRADIUS for
> at least 5 years now.  It does a fantastic job
> for us and we very much appreciate having access to this excellent application and to this
> extremely responsive listserv.  We are grateful and send our thanks to all contributors.\

  Thanks.  The responses I usually give are not intended to be annoying, but to be sure I understand what people are asking for.  I can't make assumptions about what people are referring to... having debug output is almost alway better.

> Now, to my inquiry:
> 
> In “radiusd.conf” the “log {}” section defines radius log processing.
> In particular, “msg_goodpass” and “msg_badpass” allow you to add arbitrary info to your log
> records through the expansion of custom variables.  Our config looks like this:
> 
> log {
>        destination = files
>        file = ${logdir}/radius.log
>        auth = yes
>        msg_goodpass = "%{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type} %{reply:VLAN}"
>        msg_badpass  = "%{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type}"
> }

  Which is all fine...

> Here is the relevant debug from a successful PEAP-MSChapV2 authentication.  Note that
> the “Post-Auth” processing takes place BEFORE the log record is expanded and written.

  That's what the code does in src/main/auth.c, function rad_postauth().

  It calls process_post_auth(), and then logs the message via rad_authlog().

> Here is the relevant debug from an unsuccessful auth.  Note that the Post-Auth-Type Reject
> processing takes place AFTER the log record is expanded and written:
> 
> (8) Failed to authenticate the user
> (8) EXPAND %{SSID} %{Aruba-Location-Id} %{Aruba-AP-Group} %{Aruba-Device-Type}
> (8)    -->  wg-wireless.fsu.edu Sha iPhone

  Ah, yes.... for Access-Reject, the call to rad_authlog() is done before calling post-auth-type Reject.

  See rad_authenticate().

> Is there some reason why we would want Post-Auth Accept to run BEFORE log processing but
> Post-Auth-Type Reject to run AFTER log processing?  It seems like we would want our Post-Auth
> processing to occur in the same sequence relative to expanding and writing the log record
> no matter whether we get an Accept or a Reject.

  I agree.

  I've pushed patches to the v3.0.x branch.  Please try them out.

  Alan DeKok.

More information about the Freeradius-Users mailing list