On Mon, 8 Mar 2010, Alan DeKok wrote:
The issue is that the response *might* be an Access-Challenge, or it
might be an Access-Reject. The final decision isn't made until after
all of the modules have been executed.
OK -- at least I haven't missed something.
But I don't see why you want to log the intermediate
Access-Challenges...
Thinking about it, I'm not so sure, if I trust our server... ;)
Logging the responses from proxies [which are all in the eduroam
federation at present] started last week as I wanted to be able to confirm
we did actually receive a reply to a proxied request and it didn't go
missing or take too long. I also wanted to see at what point the login
failed (sometimes things get stuck in the middle of the process). Being
able to log the responses and their types lets me confirm whether they
returned Access-Challenge, Access-Reject or Access-Accept at each stage
and we can categorically say 'your home [eduroam] site rejected you' and
not our own local processing. This has proved very useful.
However, for local authentication, we log that we receive a request for
each stage of the inner-tunnel processing and then a final 'accept' and
'reject'. I can probably just assume that one without an 'accept' or
'reject' was a challenge (or something else that didn't result in a final
decision).
Our logging in this area is evolving based on the problems we're seeing
with people visiting and I'm trying to make sure we can diagnose faults
after the event. At the moment, it often takes problems to occur before
we can work out what we don't have!
Thanks for your help,
- Bob
--
Bob Franklin <[email protected]> +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
