allow for logging only accept or reject messages

FreeRADIUS · Sep 27, 2018 · 68be26b · 68be26b
1 parent 97d5177
commit 68be26b
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 3 deletions.
diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
@@ -298,12 +298,31 @@ log {
 	#
 	stripped_names = no
 
-	#  Log authentication requests to the log file.
+	#  Log all (accept and reject) authentication results to the log file.
+	#
+	#  This is the same as setting "auth_accept = yes" and
+	#  "auth_reject = yes"
 	#
 	#  allowed values: {no, yes}
 	#
 	auth = no
 
+	#  Log Access-Accept results to the log file.
+	#
+	#  This is only used if "auth = no"
+	#
+	#  allowed values: {no, yes}
+	#
+#	auth_accept = no
+
+	#  Log Access-Reject results to the log file.
+	#
+	#  This is only used if "auth = no"
+	#
+	#  allowed values: {no, yes}
+	#
+#	auth_reject = no
+
 	#  Log passwords with the authentication requests.
 	#  auth_badpass  - logs password if it's rejected
 	#  auth_goodpass - logs password if it's correct

diff --git a/src/include/radiusd.h b/src/include/radiusd.h
@@ -114,7 +114,9 @@ typedef struct main_config {
 	fr_ipaddr_t	myip;				//!< IP to bind to. Set on command line.
 	uint16_t	port;				//!< Port to bind to. Set on command line.
 
-	bool		log_auth;			//!< Log authentication attempts.
+	bool		log_auth;			//!< Log all authentication attempts.
+	bool		log_accept;			//!< Log Access-Accept
+	bool		log_reject;			//!< Log Access-Reject
 	bool		log_auth_badpass;		//!< Log successful authentications.
 	bool		log_auth_goodpass;		//!< Log failed authentications.
 	char const	*auth_badpass_msg;		//!< Additional text to append to successful auth messages.

diff --git a/src/main/auth.c b/src/main/auth.c
@@ -82,7 +82,11 @@ static int rad_authlog(char const *msg, REQUEST *request, int goodpass)
 	char *p;
 	VALUE_PAIR *username = NULL;
 
-	if (!request->root->log_auth) {
+	if ((request->reply->code == PW_CODE_ACCESS_ACCEPT) && !request->root->log_accept) {
+		return 0;
+	}
+
+	if ((request->reply->code == PW_CODE_ACCESS_REJECT) && !request->root->log_reject) {
 		return 0;
 	}
 

diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
@@ -135,6 +135,8 @@ static const CONF_PARSER startup_server_config[] = {
 static const CONF_PARSER log_config[] = {
 	{ "stripped_names", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &log_stripped_names),"no" },
 	{ "auth", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth), "no" },
+	{ "auth_accept", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_accept), NULL},
+	{ "auth_reject", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_reject), NULL},
 	{ "auth_badpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth_badpass), "no" },
 	{ "auth_goodpass", FR_CONF_POINTER(PW_TYPE_BOOLEAN, &main_config.log_auth_goodpass), "no" },
 	{ "msg_badpass", FR_CONF_POINTER(PW_TYPE_STRING, &main_config.auth_badpass_msg), NULL},
@@ -955,6 +957,13 @@ do {\
 	 */
 	if (cf_section_parse(cs, NULL, server_config) < 0) return -1;
 
+	/*
+	 *	Fix up log_auth, and log_accept and log_reject
+	 */
+	if (main_config.log_auth) {
+		main_config.log_accept = main_config.log_reject = true;
+	}
+
 	/*
 	 *	We ignore colourization of output until after the
 	 *	configuration files have been parsed.