Re: logging trouble

2007-03-29 Thread Alan DeKok
Brad Lachel wrote:

 When the detail module is loaded, the auth_log appears to get loaded,  
 but the reply_log does not.

  Most likely because it's not being referenced from anywhere.

 It is probably due more  to my like of knowledge in this area.   

  Can you post the contents of the post-auth section?

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: logging trouble

2007-03-29 Thread Brad's Junk Mail
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
  detail: detailfile = 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded realm
  realm: format = suffix
  realm: delimiter = @
  realm: ignore_default = no
  realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
  files: usersfile = /usr/local/etc/raddb/users
  files: acctusersfile = /usr/local/etc/raddb/acct_users
  files: preproxy_usersfile = 
/usr/local/etc/raddb/preproxy_users
  files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
  acct_unique: key = User-Name, Acct-Session-Id, 
NAS-IP-Address, Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
  detail: detailfile = 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
  radutmp: filename = /usr/local/var/log/radius/radutmp
  radutmp: username = %{User-Name}
  radutmp: case_sensitive = yes
  radutmp: check_with_nas = yes
  radutmp: perm = 384
  radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
  detail: detailfile = 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (reply_log)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.



Here are the lines I thought were relevant from the 
radius.conf file:

  detail auth_log {
  detailfile = 
${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d

  
# This MUST be 0600, otherwise anyone can 
read
# the users passwords!
  detailperm = 0600
  }

 #
 #  This module logs authentication reply packets 
sent
 #  to a NAS.  Both Access-Accept and 
Access-Reject packets
 #  are logged.
 #
 #  You will also need to un-comment the 
'reply_log' line
 #  in the 'post-auth' section, below.
 #
  detail reply_log {
  detailfile = 
${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d

 #
 #  This MUST be 0600, otherwise anyone 
can read
 #  the users passwords!
  detailperm = 0600
  }



 #
 #  If you want to have a log of authentication 
requests,
 #  un-comment the following line, and the 'detail 
auth_log'
 #  section, above.
 auth_log


 #
 #  If you want to have a log of authentication 
replies,
 #  un-comment the following line, and the 'detail 
reply_log'
 #  section, above.
 reply_log










On Thu, 29 Mar 2007 13:48:17 +0100
  Alan DeKok [EMAIL PROTECTED] wrote:
 Brad Lachel wrote:

 When the detail module is loaded, the auth_log appears 
to get loaded,  
 but the reply_log does not.
 
  Most likely because it's not being referenced from 
anywhere.
 
 It is probably due more  to my like of knowledge in this 
area.   
 
  Can you post the contents of the post-auth section?
 
  Alan DeKok.
 --
  http://deployingradius.com   - The web site of the 
book
  http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
All e-mail to and from this address is subject to the Acceptable Use Policies 
of Community High School District #155. All e-mail may be monitored and/or 
disclosed to third parties. Any views or opinions presented in an e-mail are 
solely those of the author and may not represent those of Community High School 
District #155.

Community High School District #155
http://www.d155.org

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: logging trouble

2007-03-29 Thread Brad's Junk Mail
Here is the entire post-auth section:

post-auth {
 #  Get an address from the IP Pool.
#   main_pool

 #
 #  If you want to have a log of authentication 
replies,
 #  un-comment the following line, and the 'detail 
reply_log'
 #  section, above.
 reply_log

 #
 #  After authenticating the user, do another SQL 
query.
 #
 #  See Authentication Logging Queries in 
sql.conf
#   sql

 #
 #  Instead of sending the query to the SQL 
server,
 #  write it into a log file.
 #
#   sql_log

 #
 #  Un-comment the following if you have set
 #  'edir_account_policy_check = yes' in the ldap 
module sub-section of
 #  the 'modules' section.
 #
#   ldap
 #
 #  Access-Reject packets are sent through the 
REJECT sub-section of the
 #  post-auth section.
 #  Uncomment the following and set the module 
name to the ldap instance
 #  name if you have set 
'edir_account_policy_check = yes' in the ldap
 #  module sub-section of the 'modules' section.
 #
#   Post-Auth-Type REJECT {
#   insert-module-name-here
#   }

}

On Thu, 29 Mar 2007 13:48:17 +0100
  Alan DeKok [EMAIL PROTECTED] wrote:
 Brad Lachel wrote:

 When the detail module is loaded, the auth_log appears 
to get loaded,  
 but the reply_log does not.
 
  Most likely because it's not being referenced from 
anywhere.
 
 It is probably due more  to my like of knowledge in this 
area.   
 
  Can you post the contents of the post-auth section?
 
  Alan DeKok.
 --
  http://deployingradius.com   - The web site of the 
book
  http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-
All e-mail to and from this address is subject to the Acceptable Use Policies 
of Community High School District #155. All e-mail may be monitored and/or 
disclosed to third parties. Any views or opinions presented in an e-mail are 
solely those of the author and may not represent those of Community High School 
District #155.

Community High School District #155
http://www.d155.org

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: logging trouble

2007-03-29 Thread Alan DeKok
Brad's Junk Mail wrote:

  That's not quite what I asked for...

 Here are the lines I thought were relevant from the 
 radius.conf file:

  Please post the lines I asked for, and double-check the default
configuration as I said.  Posting out of context snippets from
radiusd.conf helps less than you might think.

  The post-auth section should have a reject sub-section, that
contains reply_log.  That will log Access-Reject packets.  The
comments in radiusd.conf explain this.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: logging trouble

2007-03-29 Thread Brad Lachel
Thanks, I was missing the info in the reject subsection.


On Mar 29, 2007, at 8:01 AM, Alan DeKok wrote:

 Brad's Junk Mail wrote:

   That's not quite what I asked for...

 Here are the lines I thought were relevant from the
 radius.conf file:

   Please post the lines I asked for, and double-check the default
 configuration as I said.  Posting out of context snippets from
 radiusd.conf helps less than you might think.

   The post-auth section should have a reject sub-section, that
 contains reply_log.  That will log Access-Reject packets.  The
 comments in radiusd.conf explain this.

   Alan DeKok.
 --
   http://deployingradius.com   - The web site of the book
   http://deployingradius.com/blog/ - The blog
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
 users.html


-
All e-mail to and from this address is subject to the Acceptable Use Policies 
of Community High School District #155. All e-mail may be monitored and/or 
disclosed to third parties. Any views or opinions presented in an e-mail are 
solely those of the author and may not represent those of Community High School 
District #155.

Community High School District #155
http://www.d155.org

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: logging trouble

2007-03-28 Thread Peter Nixon
On Wed 28 Mar 2007 19:28, Alan DeKok wrote:
 Brad Lachel wrote:
  I am trying to create a log that tell me who attempted to login,
  when, where and what the result was.  I have uncommented the auth_log
  line and the reply_log line as well as the detail auth_log and detail
  reply_log sections.  When I start up radius, it appears that both the
  auth_log and reply log are activated as they both appear correctly in
  the instantiated section of the startup process.  When an attempt is
  made to login, the authentication is logged, but the reply is not.
  What am I missing?

   Run it in debug mode, and see if it calls the reply_log module.

  I will admit that I am not real comfortable in deciphering the how-
  to's and config files associated with freeradius, but I think that I
  have done what I need to in order to get what I am looking for.

   The documentation is clear... sometimes.  That's why I'm writing the
 book.  I don't think the book will cover everything, but maybe the
 second edition will do that. :)

  freeradius is being used to authenticate users to wireless access
  points, the ideal log would look something like this:
 
  MAC timeWAP IP  result

   In the CVS head (what will be 2.0), you can easily create that format
 with the line_log module.  In 1.1.5, it's problematic..

As will the acctlog module which allows you to spit any type of accounting 
packet out in a configurable single line log to either radiusd.log or 
syslog.. (I use it for keeping track of user disconnects via my centralised 
syslog server..)

Cheers

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html