reply_log not happening on failures

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

reply_log not happening on failures

Dan M
Is there a known issue with rejected requests not generating a reply log
entry.
For a successful request the reply log is always written.

Is it an order thing maybe in some section?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reply_log not happening on failures

Jorge Pereira-2
Hi,

Which FreeRADIUS version? Where is the debug output? Please https://wiki.freeradius.org/guide/Users-Mailing-List <https://wiki.freeradius.org/guide/Users-Mailing-List>


--
Jorge Pereira
[hidden email]




> Em 11 de jan de 2021, à(s) 19:29, Dan M <[hidden email]> escreveu:
>
> Is there a known issue with rejected requests not generating a reply log
> entry.
> For a successful request the reply log is always written.
>
> Is it an order thing maybe in some section?
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reply_log not happening on failures

Matthew Newton-3
In reply to this post by Dan M
On 11/01/2021 22:29, Dan M wrote:
> Is there a known issue with rejected requests not generating a reply log
> entry.
> For a successful request the reply log is always written.
>
> Is it an order thing maybe in some section?

reply_log is in the post_auth section of the config, which is run on
successful authentication.

However, failed authentications run through the post-auth
"Post-Auth-Type REJECT" section. To log failures you'll need to add
reply_log (or similar) to that section, too, e.g.

post-auth {
   ...
   Post-Auth-Type REJECT {
     ...
     reply_log
     ...
   }
}

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: reply_log not happening on failures

Dan M
In reply to this post by Jorge Pereira-2

But I seem to have found a solution.
post-auth {
    Post-Auth-Type REJECT {
        reply_log
    }
}
I added that and started getting the expected log entries for reject.

It's not entirely obvious that the main reply_log entry in post-auth wouldn't be universal (e.g. success AND failure) but apparently it's not

-Dan Mullen

> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+dan.red.beard=[hidden email]> On Behalf Of Jorge
> Pereira
> Sent: Monday, January 11, 2021 6:55 PM
> To: FreeRadius users mailing list <[hidden email]>
> Subject: Re: reply_log not happening on failures
>
> Hi,
>
> Which FreeRADIUS version? Where is the debug output? Please
Sigh, debug output doesn't show anything and I didn't have it yet at the time.
I thought maybe someone might have an answer without all that.

But I seem to have found a solution.
post-auth {
    Post-Auth-Type REJECT {
        reply_log
    }
}
I added that and started getting the expected log entries for rejected requests.

It's not entirely obvious that the main reply_log entry in post-auth wouldn't be universal (e.g. success AND failure) but apparently it's not

-Dan Mullen

> https://wiki.freeradius.org/guide/Users-Mailing-List
> <https://wiki.freeradius.org/guide/Users-Mailing-List>
>
>
> --
> Jorge Pereira
> [hidden email]
>
>
>
>
> > Em 11 de jan de 2021, à(s) 19:29, Dan M <[hidden email]>
> escreveu:
> >
> > Is there a known issue with rejected requests not generating a reply
> > log entry.
> > For a successful request the reply log is always written.
> >
> > Is it an order thing maybe in some section?
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reply_log not happening on failures

Alan DeKok-2
On Jan 12, 2021, at 2:37 PM, Dan M <[hidden email]> wrote:
>
> But I seem to have found a solution.
> post-auth {
>    Post-Auth-Type REJECT {
>        reply_log
>    }
> }
> I added that and started getting the expected log entries for reject.

  Which is what Matthew suggested to do.

> It's not entirely obvious that the main reply_log entry in post-auth wouldn't be universal (e.g. success AND failure) but apparently it's not

  The comments in the config files make it clear when / where the "Reject" section is run.

  The good news is that v4 will have a lot of this cleaned up.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: reply_log not happening on failures

Dan M
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-
> bounces+dan.red.beard=[hidden email]> On Behalf Of Alan
> DeKok
> Sent: Tuesday, January 12, 2021 11:53 AM
> To: FreeRadius users mailing list <[hidden email]>
> Subject: Re: reply_log not happening on failures
>
> On Jan 12, 2021, at 2:37 PM, Dan M <[hidden email]> wrote:
> >
> > But I seem to have found a solution.
> > post-auth {
> >    Post-Auth-Type REJECT {
> >        reply_log
> >    }
> > }
> > I added that and started getting the expected log entries for reject.
>
>   Which is what Matthew suggested to do.
[DTM] Yes, he did.  Thanks.  Saw that after I replied to Jorge.

>
> > It's not entirely obvious that the main reply_log entry in post-auth wouldn't
> be universal (e.g. success AND failure) but apparently it's not
>
>   The comments in the config files make it clear when / where the "Reject"
> section is run.
[DTM] Well, clear to YOU.  You're intimate with the product.
We don't have to carry this on further but I respectfully point out for consideration in other/future comments
Since there is no section:
        Post-Auth-Type ACCEPT
I expected (and I don't think I would be alone) that the surrounding post-auth section was *always* performed and that the type section was additional.
Especially since the distribution has reply_log in the bigger section but not in the Post-Auth-Type section.
Maybe there's a reason not to log rejects that isn't obvious to someone just getting into this.

I think this is happens with the comments: sometimes they're clear but sometimes they only provide a hint at a possibility.
e.g. the comment
#  Access-Reject packets are sent through the REJECT sub-section of the
#  post-auth section.
is missing the keyword ONLY which would be clear.
Granted it doesn't say "also sent" so perhaps you see the ambiguity.

>
>   The good news is that v4 will have a lot of this cleaned up.
[DTM] Joy
>
>   Alan DeKok.

[DTM] Dan Mullen


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: reply_log not happening on failures

Alan DeKok-2
On Jan 14, 2021, at 3:58 PM, Dan M <[hidden email]> wrote:
> [DTM] Well, clear to YOU.  You're intimate with the product.

  So... where do we have to put the documentation where people will read it?

  The default config says:

        #
        #  Access-Reject packets are sent through the REJECT sub-section of the
        #  post-auth section.
        #

  Which seems clear

  If you read the debug output, you'll see that Access-Accepts are run through the "post-auth" section.  And Access-Rejects are sent through the above section.

  That's it.  5 minutes of testing, and you'll see exactly what it does.

  The general frustration here is that there's a *ton* of documentation, comments, and examples.  Instead of making things clearer for people, it seems to make things worse somehow.

> We don't have to carry this on further but I respectfully point out for consideration in other/future comments
> Since there is no section:
> Post-Auth-Type ACCEPT
> I expected (and I don't think I would be alone) that the surrounding post-auth section was *always* performed and that the type section was additional.
> Especially since the distribution has reply_log in the bigger section but not in the Post-Auth-Type section.
> Maybe there's a reason not to log rejects that isn't obvious to someone just getting into this.
>
> I think this is happens with the comments: sometimes they're clear but sometimes they only provide a hint at a possibility.
> e.g. the comment
> #  Access-Reject packets are sent through the REJECT sub-section of the
> #  post-auth section.
> is missing the keyword ONLY which would be clear.

  If ONLY there was some kind of debug output you could read, to see what the server was doing.

  This isn't difficult.  If the document says "if does X", then it does X.  It doesn't mean that it randomly does Y, or Z, or maybe Q.

  Maybe the Access-Reject packets are *also* sent through the "accounting" section.  After all, the documentation doesn't say that _doesn't_ happen.  Should we fix that, too?

> Granted it doesn't say "also sent" so perhaps you see the ambiguity.

  No.

 There's an infinite number of things which *might* be possible.  It is unreasonable to document them all.  Instead, we document what the server does, and then leave the reader to make the logical conclusion

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html