Logging Packet-Type of reply packets from inner-tunnel

Bob Franklin rcf34 at cam.ac.uk
Tue Mar 9 10:29:18 CET 2010

On Mon, 8 Mar 2010, Alan DeKok wrote:

>  The issue is that the response *might* be an Access-Challenge, or it 
> might be an Access-Reject.  The final decision isn't made until after 
> all of the modules have been executed.

OK -- at least I haven't missed something.

>  But I don't see why you want to log the intermediate 
> Access-Challenges...

Thinking about it, I'm not so sure, if I trust our server...  ;)

Logging the responses from proxies [which are all in the eduroam 
federation at present] started last week as I wanted to be able to confirm 
we did actually receive a reply to a proxied request and it didn't go 
missing or take too long.  I also wanted to see at what point the login 
failed (sometimes things get stuck in the middle of the process).  Being 
able to log the responses and their types lets me confirm whether they 
returned Access-Challenge, Access-Reject or Access-Accept at each stage 
and we can categorically say 'your home [eduroam] site rejected you' and 
not our own local processing.  This has proved very useful.

However, for local authentication, we log that we receive a request for 
each stage of the inner-tunnel processing and then a final 'accept' and 
'reject'.  I can probably just assume that one without an 'accept' or 
'reject' was a challenge (or something else that didn't result in a final 

Our logging in this area is evolving based on the problems we're seeing 
with people visiting and I'm trying to make sure we can diagnose faults 
after the event.  At the moment, it often takes problems to occur before 
we can work out what we don't have!

Thanks for your help,

   - Bob

  Bob Franklin <rcf34 at cam.ac.uk>              +44 1223 748479
  Network Division, University of Cambridge Computing Service

More information about the Freeradius-Users mailing list