Re: Question on logging EAP/PEAP authentication rejections
It's a section, just like any other section. This is documented in man unlang. You put modules or unlang rules there. This is documented in man unlang. Thanks!! That is exactly what I needed. I did not know to look in that man page. Awesome! If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. The documentation assumes some amount of independent thought. *This* is the cause of most of the contention on this list. Some people want to be spoon-fed every possible piece of information. They get testy when that doesn't happen. I get frustrated when people don't bother reading the documentation I wrote. I give direct opinions when they express how bad the documentation is... that they haven't read. Im sorry I upset you. I could have worded the last part better. Freeradius is so full of great features that sometimes the doc is not where you expect it which is why I needed help finding where this was documented. I did figure it out without it in the end anyways. The man unlang advice was exactly what I needed and the doc is very clear. Thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Well I eventually found and switched to using linelog to log access rejects since I can define my own variables that are logged. Oddly enough freeradius was showing a packet-type of Access-Request for eap authentication failures. Since I was calling linelog only from the post_auth_reject spot I just changed the Access-Request= definition to: Access-Request = Rejected access: %{User-Name} SSID: %{NAS-Port-Id} and the filename= line to be: ${logdir}/authrejectlog-%Y%m%d.log (yep I could make a subsection to linelog with those changes but chose not to). So I am now logging username rejects as well as the SSID they are trying to connect to. Im not sure why people kept telling me to read the spot above the Post-Auth-Type Reject section. Here is a paste of the text above that section. # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # This section was of no help to why usernames were not getting logged in the detail logs for rejections. From my emails I believe I conveyed that I was reading documentation and doing the best I could on my own without being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? -Josh On Mon, Mar 19, 2012 at 9:15 PM, Josh Hiner j...@remc1.org wrote: Alan. Thanks for the reply. One of my previous emails I did put reply_log in the post auth reject spot. Im also copying the user from the inner tunnel to the outer tunnel. I am getting reject logs but without the username. I swear I have read the section above the post auth reject spot in my default file under sites enabled and I do have stuff in that section as it clues me to. I must be missing something though obviously. Thanks -josh Sent from my iPhone On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi, being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. shrug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok. I did follow this advice: snip Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit snip What advice didnt I follow? Thats all the advice I was given. Put stuff in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log (which didnt log username) so after much trial I modified linelog. I couldnt find documentation even with searching online about what to put in there. I pretty much guessed in the end. If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. Thanks -Josh On Tue, Mar 20, 2012 at 4:27 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? ...or it could be that we've been running FreeRADIUS for a long long time and the method we said works for usbut you've decided on some other way of path. back in the 0.x days you'd have been SOOL, in 1.x days it would have been code changes...in 2.x days there are a few ways you can do it. you were told the best way of doing it - but you chose another valid way. shrug alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } *This* is the cause of contention on the list. You've ignored the comment just above that... which documents how the Post-Auth-Type Reject section works. What advice didnt I follow? Thats all the advice I was given. The advice assumes that you have an open mind. Put stuff in there (Post-Auth-Type REJECT) which I did do. First I tried reply_log (which didnt log username) It logs the replies. It will log User-Name if it's in the reply. so after much trial I modified linelog. I couldnt find documentation even with searching online about what to put in there. I pretty much guessed in the end. It's a section, just like any other section. This is documented in man unlang. You put modules or unlang rules there. This is documented in man unlang. If there is documentation on Post-Auth-Type REJECT { that is more than a paragraph please point me to it I'd be very interested in it. I cant follow advice thats not given to me or to read documentation that seems to be impossible to find? Im just confused on the replys I received. Oh well. The documentation assumes some amount of independent thought. It doesn't describe all possible configurations. It can't. Instead, it describes how the systems works. It describes how how *you* can use the tools at your disposal to solve any problem. *This* is the cause of most of the contention on this list. Some people want to be spoon-fed every possible piece of information. They get testy when that doesn't happen. I get frustrated when people don't bother reading the documentation I wrote. I give direct opinions when they express how bad the documentation is... that they haven't read. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: Im not sure why people kept telling me to read the spot above the Post-Auth-Type Reject section. Because it describes how the Post-Auth-Type Reject section works. Note: no text saying it magically doesn't log User-Names Here is a paste of the text above that section. Because we haven't seen it before, right? This section was of no help to why usernames were not getting logged in the detail logs for rejections. From my emails I believe I conveyed that I was reading documentation and doing the best I could on my own without being a mooch. The only reason I can think of such short and erroneous replies is that some people helping on the list are generally annoyed by any questions. No... they're annoyed at people who ask questions that are answered in the documentation. That is too bad. A quick reply of use linelog would have been helpful. Why not help people? Are you really implying I haven't spent 12 years writing free software and helping people? If that is what you're implying, I have nothing polite to say to you. If that's not what you're implying, then you're admitting that the question is rude and inflammatory. Honestly, why are so many people insistent on pissing off the people who help them for free? You're getting free software, free support, and free bug fixes. Yet that isn't good enough. We have to spend MORE time because the answers we give aren't good enough for you. Why not just unsubscribe? If you insist on denigrating me, I'll just do it for you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the reply_log section of ./modules/detail.log (I also enabled copy tunneled reply to the outer tunnel in eap.conf). In the logged rejections Im not getting the user-name though. I tried disabling the attr_filter.access_reject line in ./sites-enabled/default to see if the attributes were getting filtered but that didnt do anything as I expected. I know that Access-Reject logs are only supposed to have certain info (per attr_filter.access_reject doc). Is there a way to modify the reply_log to include the User-Name in the rejection or should I be using something other than reply_log? Thanks! -Josh On Fri, Mar 16, 2012 at 4:58 PM, Alan DeKok al...@deployingradius.comwrote: Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Along with enabling user_tunneled_reply=yes etc.. I am also updating the outer tunnel with the inner tunnel username like this: update outer.reply { User-Name = %{request:User-Name} } in ./sites-enabled/inner-tunnel Watching radius debug I can even see attr_filter.access_reject expand User-Name because it uses it as its key. I do have sql reject logging fine in other radius server setups. I read the short doc here: http://freeradius.org/radiusd/doc/Post-Auth-Type and have searched via google. Im sorry I just cannot figure this one out. I even see attr_filter. I cannot get Freeradius to log the username in eap/peap login rejects. Thanks again. -Josh On Fri, Mar 16, 2012 at 4:55 PM, Josh Hiner j...@remc1.org wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. I have : use_tunneled_reply = yes and copy_request_to_tunnel = yes in eap.conf (need that to do group checking in the users file) but this does not seem to effect the issue of no rejected logins being logged. Searched this email list as well as online. Sorry to bother. Any info would be great. I appreciate your time. Thanks!!! -Josh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Alan. Thanks for the reply. One of my previous emails I did put reply_log in the post auth reject spot. Im also copying the user from the inner tunnel to the outer tunnel. I am getting reject logs but without the username. I swear I have read the section above the post auth reject spot in my default file under sites enabled and I do have stuff in that section as it clues me to. I must be missing something though obviously. Thanks -josh Sent from my iPhone On Mar 19, 2012, at 6:32 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, Ok I went back, looked at the config, and used some common sense to figure part of it out. I have it now logging replys for rejects using the ...to remind you what Alan said: �Read raddb/sites-available/default. �Look for Post-Auth-Type Reject. �This is documented. in post-auth section Post-Auth-Type REJECT { attr_filter.access_reject } put things in that bit alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on logging EAP/PEAP authentication rejections
Josh Hiner wrote: Hello. Im running freeradius 2.1.6 and logging to /var/log/radius in file/detail format. Currently connection logging is working if the user authenticates correctly. I cant get access rejects to log though. Ive turned on reply detail but that is only showing successful attempts too. Read raddb/sites-available/default. Look for Post-Auth-Type Reject. This is documented. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html