Re: logging trouble
Brad Lachel wrote: When the detail module is loaded, the auth_log appears to get loaded, but the reply_log does not. Most likely because it's not being referenced from anywhere. It is probably due more to my like of knowledge in this area. Can you post the contents of the post-auth section? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /usr/local/var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. Here are the lines I thought were relevant from the radius.conf file: detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # This module logs authentication reply packets sent # to a NAS. Both Access-Accept and Access-Reject packets # are logged. # # You will also need to un-comment the 'reply_log' line # in the 'post-auth' section, below. # detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d # # This MUST be 0600, otherwise anyone can read # the users passwords! detailperm = 0600 } # # If you want to have a log of authentication requests, # un-comment the following line, and the 'detail auth_log' # section, above. auth_log # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log On Thu, 29 Mar 2007 13:48:17 +0100 Alan DeKok [EMAIL PROTECTED] wrote: Brad Lachel wrote: When the detail module is loaded, the auth_log appears to get loaded, but the reply_log does not. Most likely because it's not being referenced from anywhere. It is probably due more to my like of knowledge in this area. Can you post the contents of the post-auth section? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155. Community High School District #155 http://www.d155.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Here is the entire post-auth section: post-auth { # Get an address from the IP Pool. # main_pool # # If you want to have a log of authentication replies, # un-comment the following line, and the 'detail reply_log' # section, above. reply_log # # After authenticating the user, do another SQL query. # # See Authentication Logging Queries in sql.conf # sql # # Instead of sending the query to the SQL server, # write it into a log file. # # sql_log # # Un-comment the following if you have set # 'edir_account_policy_check = yes' in the ldap module sub-section of # the 'modules' section. # # ldap # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # Uncomment the following and set the module name to the ldap instance # name if you have set 'edir_account_policy_check = yes' in the ldap # module sub-section of the 'modules' section. # # Post-Auth-Type REJECT { # insert-module-name-here # } } On Thu, 29 Mar 2007 13:48:17 +0100 Alan DeKok [EMAIL PROTECTED] wrote: Brad Lachel wrote: When the detail module is loaded, the auth_log appears to get loaded, but the reply_log does not. Most likely because it's not being referenced from anywhere. It is probably due more to my like of knowledge in this area. Can you post the contents of the post-auth section? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155. Community High School District #155 http://www.d155.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Brad's Junk Mail wrote: That's not quite what I asked for... Here are the lines I thought were relevant from the radius.conf file: Please post the lines I asked for, and double-check the default configuration as I said. Posting out of context snippets from radiusd.conf helps less than you might think. The post-auth section should have a reject sub-section, that contains reply_log. That will log Access-Reject packets. The comments in radiusd.conf explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
Thanks, I was missing the info in the reject subsection. On Mar 29, 2007, at 8:01 AM, Alan DeKok wrote: Brad's Junk Mail wrote: That's not quite what I asked for... Here are the lines I thought were relevant from the radius.conf file: Please post the lines I asked for, and double-check the default configuration as I said. Posting out of context snippets from radiusd.conf helps less than you might think. The post-auth section should have a reject sub-section, that contains reply_log. That will log Access-Reject packets. The comments in radiusd.conf explain this. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - All e-mail to and from this address is subject to the Acceptable Use Policies of Community High School District #155. All e-mail may be monitored and/or disclosed to third parties. Any views or opinions presented in an e-mail are solely those of the author and may not represent those of Community High School District #155. Community High School District #155 http://www.d155.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: logging trouble
On Wed 28 Mar 2007 19:28, Alan DeKok wrote: Brad Lachel wrote: I am trying to create a log that tell me who attempted to login, when, where and what the result was. I have uncommented the auth_log line and the reply_log line as well as the detail auth_log and detail reply_log sections. When I start up radius, it appears that both the auth_log and reply log are activated as they both appear correctly in the instantiated section of the startup process. When an attempt is made to login, the authentication is logged, but the reply is not. What am I missing? Run it in debug mode, and see if it calls the reply_log module. I will admit that I am not real comfortable in deciphering the how- to's and config files associated with freeradius, but I think that I have done what I need to in order to get what I am looking for. The documentation is clear... sometimes. That's why I'm writing the book. I don't think the book will cover everything, but maybe the second edition will do that. :) freeradius is being used to authenticate users to wireless access points, the ideal log would look something like this: MAC timeWAP IP result In the CVS head (what will be 2.0), you can easily create that format with the line_log module. In 1.1.5, it's problematic.. As will the acctlog module which allows you to spit any type of accounting packet out in a configurable single line log to either radiusd.log or syslog.. (I use it for keeping track of user disconnects via my centralised syslog server..) Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html