reply_log not happening on failures

Dan M at
Thu Jan 14 21:58:52 CET 2021

> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> at> On Behalf Of Alan
> DeKok
> Sent: Tuesday, January 12, 2021 11:53 AM
> To: FreeRadius users mailing list <freeradius-users at>
> Subject: Re: reply_log not happening on failures
> On Jan 12, 2021, at 2:37 PM, Dan M < at> wrote:
> >
> > But I seem to have found a solution.
> > post-auth {
> >    Post-Auth-Type REJECT {
> >        reply_log
> >    }
> > }
> > I added that and started getting the expected log entries for reject.
>   Which is what Matthew suggested to do.
[DTM] Yes, he did.  Thanks.  Saw that after I replied to Jorge.

> > It's not entirely obvious that the main reply_log entry in post-auth wouldn't
> be universal (e.g. success AND failure) but apparently it's not
>   The comments in the config files make it clear when / where the "Reject"
> section is run.
[DTM] Well, clear to YOU.  You're intimate with the product.
We don't have to carry this on further but I respectfully point out for consideration in other/future comments
Since there is no section:
	Post-Auth-Type ACCEPT
I expected (and I don't think I would be alone) that the surrounding post-auth section was *always* performed and that the type section was additional.
Especially since the distribution has reply_log in the bigger section but not in the Post-Auth-Type section.
Maybe there's a reason not to log rejects that isn't obvious to someone just getting into this.

I think this is happens with the comments: sometimes they're clear but sometimes they only provide a hint at a possibility.
e.g. the comment
#  Access-Reject packets are sent through the REJECT sub-section of the
#  post-auth section.
is missing the keyword ONLY which would be clear.
Granted it doesn't say "also sent" so perhaps you see the ambiguity.

>   The good news is that v4 will have a lot of this cleaned up.
[DTM] Joy
>   Alan DeKok.

[DTM] Dan Mullen

More information about the Freeradius-Users mailing list