Logging problem

[Norbert Wegener]

Hello Alan,
I want logging information, if a client shows up with  an expired 
certificate.
Therefor in authorize I have:
...

eap
     if ( invalid ) {
              update reply {
                Tmp-String-5="INVALID Certificate"
                 }
               }


....

in post-auth :
..
       Post-Auth-Type REJECT {
               sql_log
       }

and in  modules/sql_log:

Post-Auth = "INSERT INTO ${postauth_table}                   \
       (username, pass, reply, authdate, nasname, 
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) 
VALUES                                 \
       ('%{User-Name}', '%{User-Password}',         \
       '%{reply:Packet-Type}', '%S', 
'%{NAS-Identifier}','%{Client-IP-Address}','${RADIP}',\
       
'%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}');"

When a client shows up with an expired certificate I would expect to see 
the message "INVALID Certificate".

.....
Here is what I get with 2.1.0:
[tls] >>> TLS 1.0 Alert [length 0002], fatal certificate_expired
TLS Alert write:fatal:certificate expired
   TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server cisco
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[sql_log] Processing sql_log_postauth
       expand: %{User-Name} -> HOST/osd02red.ww901.mycompany.net
       expand: %{%{User-Name}:-DEFAULT} -> 
HOST/osd02red.ww901.mycompany.net
[sql_log] sql_set_user escaped user --> 'HOST/osd02red.ww901.mycompany.net'
       expand: INSERT INTO radpostauth                         
(username, pass, reply, authdate, nasname, 
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) 
VALUES                                  ('%{User-Name}', 
'%{User-Password}',            '%{reply:Packet-Type}', '%S', 
'%{NAS-Identifier}','%{Client-IP-Address}','1.2.3.4',     
'%{Port-Message}','%{NAS-Port-Id}','%{reply:Tmp-String-5}','%{Calling-Station-Id}'); 
-> INSERT INTO radpostauth                         (username, pass, 
reply, authdate, nasname, 
nasipaddress,radiusip,machinetype,nasport,modulefailmes,csi) 
VALUES                                  
('HOST/osd02red.ww901.mycompany.net', '',               'Access-Reject', 
'2008-09-12 09:58:09', '','123.246.185.169','1.2.3.4', 
'','','','00-00-00-00-00-02');

It seems, "if (invalid) " is not entered and I don't see why.

Norbert Wegener



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html