Re: Question on logging EAP/PEAP authentication rejections
It's a section, just like any other section. This is documented in
man unlang. You put modules or unlang rules there. This is
documented in man unlang.
Thanks!! That is exactly what I needed. I did not know to look in that man
page. Awesome!
If there is documentation on
Post-Auth-Type REJECT { that is more than a paragraph please point me to
it I'd be very interested in it. I cant follow advice thats not given to
me or to read documentation that seems to be impossible to find? Im just
confused on the replys I received. Oh well.
The documentation assumes some amount of independent thought.
*This* is the cause of most of the contention on this list. Some
people want to be spoon-fed every possible piece of information. They
get testy when that doesn't happen.
I get frustrated when people don't bother reading the documentation I
wrote. I give direct opinions when they express how bad the
documentation is... that they haven't read.
Im sorry I upset you. I could have worded the last part better. Freeradius
is so full of great features that sometimes the doc is not where you expect
it which is why I needed help finding where this was documented. I did
figure it out without it in the end anyways. The man unlang advice was
exactly what I needed and the doc is very clear. Thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Well I eventually found and switched to using linelog to log access rejects
since I can define my own variables that are logged. Oddly enough
freeradius was showing a packet-type of Access-Request for eap
authentication failures. Since I was calling linelog only from the
post_auth_reject spot I just changed the Access-Request= definition to:
Access-Request = Rejected access: %{User-Name} SSID: %{NAS-Port-Id}
and the filename= line to be: ${logdir}/authrejectlog-%Y%m%d.log
(yep I could make a subsection to linelog with those changes but chose not
to).
So I am now logging username rejects as well as the SSID they are trying to
connect to. Im not sure why people kept telling me to read the spot above
the Post-Auth-Type Reject section. Here is a paste of the text above that
section.
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
# Add the ldap module name (or instance) if you have set
# 'edir_account_policy_check = yes' in the ldap module configuration
#
This section was of no help to why usernames were not getting logged in the
detail logs for rejections. From my emails I believe I conveyed that I was
reading documentation and doing the best I could on my own without being a
mooch. The only reason I can think of such short and erroneous replies is
that some people helping on the list are generally annoyed by any
questions. That is too bad. A quick reply of use linelog would have been
helpful. Why not help people?
-Josh
On Mon, Mar 19, 2012 at 9:15 PM, Josh Hiner j...@remc1.org wrote:
Alan. Thanks for the reply. One of my previous emails I did put
reply_log in the post auth reject spot. Im also copying the user from
the inner tunnel to the outer tunnel. I am getting reject logs but
without the username. I swear I have read the section above the post
auth reject spot in my default file under sites enabled and I do have
stuff in that section as it clues me to. I must be missing something
though obviously.
Thanks -josh
Sent from my iPhone
On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Ok I went back, looked at the config, and used some common sense to
figure
part of it out. I have it now logging replys for rejects using the
...to remind you what Alan said:
�Read raddb/sites-available/default. �Look for Post-Auth-Type
Reject.
�This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
put things in that bit
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi, being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. shrug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok. I did follow this advice:
snip
Ok I went back, looked at the config, and used some common sense to
figure
part of it out. I have it now logging replys for rejects using the
...to remind you what Alan said:
�Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
�This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
put things in that bit
snip
What advice didnt I follow? Thats all the advice I was given. Put stuff in
there (Post-Auth-Type REJECT) which I did do. First I tried reply_log
(which didnt log username) so after much trial I modified linelog. I
couldnt find documentation even with searching online about what to put in
there. I pretty much guessed in the end. If there is documentation on
Post-Auth-Type REJECT { that is more than a paragraph please point me to it
I'd be very interested in it. I cant follow advice thats not given to me or
to read documentation that seems to be impossible to find? Im just confused
on the replys I received. Oh well.
Thanks -Josh
On Tue, Mar 20, 2012 at 4:27 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
being a mooch. The only reason I can think of such short and erroneous
replies is that some people helping on the list are generally annoyed
by
any questions. That is too bad. A quick reply of use linelog would
have
been helpful. Why not help people?
...or it could be that we've been running FreeRADIUS for a long long time
and
the method we said works for usbut you've decided on some other way of
path.
back in the 0.x days you'd have been SOOL, in 1.x days it would have been
code
changes...in 2.x days there are a few ways you can do it. you were told
the best
way of doing it - but you chose another valid way. shrug
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote:
...to remind you what Alan said:
�Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
�This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
*This* is the cause of contention on the list. You've ignored the
comment just above that... which documents how the Post-Auth-Type Reject
section works.
What advice didnt I follow? Thats all the advice I was given.
The advice assumes that you have an open mind.
Put stuff
in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log
(which didnt log username)
It logs the replies. It will log User-Name if it's in the reply.
so after much trial I modified linelog. I
couldnt find documentation even with searching online about what to put
in there. I pretty much guessed in the end.
It's a section, just like any other section. This is documented in
man unlang. You put modules or unlang rules there. This is
documented in man unlang.
If there is documentation on
Post-Auth-Type REJECT { that is more than a paragraph please point me to
it I'd be very interested in it. I cant follow advice thats not given to
me or to read documentation that seems to be impossible to find? Im just
confused on the replys I received. Oh well.
The documentation assumes some amount of independent thought.
It doesn't describe all possible configurations. It can't. Instead,
it describes how the systems works. It describes how how *you* can use
the tools at your disposal to solve any problem.
*This* is the cause of most of the contention on this list. Some
people want to be spoon-fed every possible piece of information. They
get testy when that doesn't happen.
I get frustrated when people don't bother reading the documentation I
wrote. I give direct opinions when they express how bad the
documentation is... that they haven't read.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: Im not sure why people kept telling me to read the spot above the Post-Auth-Type Reject section. Because it describes how the Post-Auth-Type Reject section works. Note: no text saying it magically doesn't log User-Names Here is a paste of the text above that section. Because we haven't seen it before, right? This section was of no help to why usernames were not getting logged in the detail logs for rejections. From my emails I believe I conveyed that I was reading documentation and doing the best I could on my own without being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. No... they're annoyed at people who ask questions that are answered in the documentation. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? Are you really implying I haven't spent 12 years writing free software and helping people? If that is what you're implying, I have nothing polite to say to you. If that's not what you're implying, then you're admitting that the question is rude and inflammatory. Honestly, why are so many people insistent on pissing off the people who help them for free? You're getting free software, free support, and free bug fixes. Yet that isn't good enough. We have to spend MORE time because the answers we give aren't good enough for you. Why not just unsubscribe? If you insist on denigrating me, I'll just do it for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the reply_log section of ./modules/detail.log (I also enabled copy tunneled reply to the outer tunnel in eap.conf). In the logged rejections Im not getting the user-name though. I tried disabling the attr_filter.access_reject line in ./sites-enabled/default to see if the attributes were getting filtered but that didnt do anything as I expected. I know that Access-Reject logs are only supposed to have certain info (per attr_filter.access_reject doc). Is there a way to modify the reply_log to include the User-Name in the rejection or should I be using something other than reply_log? Thanks! -Josh On Fri, Mar 16, 2012 at 4:58 PM, Alan DeKok al...@deployingradius.comwrote: Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Along with enabling user_tunneled_reply=yes etc.. I am also updating the
outer tunnel with the inner tunnel username like this:
update outer.reply {
User-Name = %{request:User-Name}
}
in ./sites-enabled/inner-tunnel
Watching radius debug I can even see attr_filter.access_reject expand
User-Name because it uses it as its key.
I do have sql reject logging fine in other radius server setups. I read the
short doc here: http://freeradius.org/radiusd/doc/Post-Auth-Type and have
searched via google. Im sorry I just cannot figure this one out. I even see
attr_filter. I cannot get Freeradius to log the username in eap/peap login
rejects.
Thanks again.
-Josh
On Fri, Mar 16, 2012 at 4:55 PM, Josh Hiner j...@remc1.org wrote:
Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in
file/detail format. Currently connection logging is working if the user
authenticates correctly. I cant get access rejects to log though. Ive
turned on reply detail but that is only showing successful attempts too.
I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in
eap.conf (need that to do group checking in the users file) but this does
not seem to effect the issue of no rejected logins being logged. Searched
this email list as well as online. Sorry to bother.
Any info would be great. I appreciate your time. Thanks!!!
-Josh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi,
Ok I went back, looked at the config, and used some common sense to figure
part of it out. I have it now logging replys for rejects using the
...to remind you what Alan said:
�Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
�This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
put things in that bit
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Alan. Thanks for the reply. One of my previous emails I did put
reply_log in the post auth reject spot. Im also copying the user from
the inner tunnel to the outer tunnel. I am getting reject logs but
without the username. I swear I have read the section above the post
auth reject spot in my default file under sites enabled and I do have
stuff in that section as it clues me to. I must be missing something
though obviously.
Thanks -josh
Sent from my iPhone
On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Ok I went back, looked at the config, and used some common sense to figure
part of it out. I have it now logging replys for rejects using the
...to remind you what Alan said:
�Read raddb/sites-available/default. �Look for Post-Auth-Type Reject.
�This is documented.
in post-auth section
Post-Auth-Type REJECT {
attr_filter.access_reject
}
put things in that bit
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
