On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote:
I'm also doing some stuff in the authorization section which can reject
a user based on some ldap information. I thought I could perhaps just
update the default tunnel post-auth reject section to not do a linelog
if auth-type has been set to EAP but it doesn't work when clients are
rejected in this ldap section; the EAP auth-type is set but it never
authenticates as the reject is triggered first, and so a linelog would
never be recorded in the inner tunnel post auth reject section. I hope
that's not too confusing, it's hard to explain.
Sorry, I didn't understand that last part.
There are a bunch of different ways of solving the "logging twice" if
that's the problem you're trying to solve.
The easiest is to just not care - we have a similar logging system and
log both the inner and outer rejects. Our log "inspection" script shows
both, and we just look at the relevant one. Note that EAP sessions can
fail in ways that never trigger the inner tunnel, but do set
Module-Failure-Message, so you can't just "not log outer" and hope to
catch all relevant debugging. You can also have inner accepts with outer
rejects (e.g. if the client fails mutual auth) so again, logging just
one will miss info.
Without knowing what you're trying to accomplish and what your criteria
are, I couldn't comment further - logging is a very individual thing
that people have different ideas about. But my advice would be to solve
this by post-processing the data, not by having extensive logic in your
FR config.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
