Packet tracing web interface
Gary Gatten
Ggatten at waddell.com
Sat Mar 12 16:00:09 CET 2011
I don't know about all your questions, but, during my testing I found that if I start "radiusd -X > somefile.log" and then run it in the background, I can grep/tail somefile.log for stuff I need. Perhaps you could do something similar to get the results of your query? I'm sure you could find some sort of record delimiters to grab only the results of your query and not all the others. There's probably many ways to do this, including tweaking the source.
Is this for some sort of testing? What problem are you trying to solve?
----- Original Message -----
From: Brian Candler [mailto:B.Candler at pobox.com]
Sent: Saturday, March 12, 2011 07:02 AM
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Packet tracing web interface
I'd like to build a "packet tracer" web interface for freeradius: that is,
somewhere where you can paste in a set of AV pairs (perhaps caught from
radsniff), and you get back the AV responses plus all the decision-making
logic that took place. Basically what freeradius -X shows.
Has anyone done this before? I have a few considerations.
(1) If I had a single persistent freeradius daemon running, and multiple
users were submitting requests to this web interface, I'd need to separate
out the debug data for each of the requests. I guess I could have a locking
system so that only one person could be using it at once.
(Alternatively I'd have to fire off a new foreground radiusd for each
request as it came in, and kill it afterwards)
(2) What's the best way to submit the request so that it looks like it's
coming from a particular IP address? The "Client-IP-Address" attribute is
internal only, not on-the-wire.
At the moment the best I've been able to do is to create loopback interfaces
on my box with examples of the source IPs I'm interested in, then use
radclient to send the packet with a Packet-Src-IP-Address of one of those
loopbacks. Is there a better way I've overlooked?
(Before you say it, I know a well-behaved radius server should be looking at
NAS-IP-Address not Client-IP-Address. Unfortunately there are some cases
where we have to make logic decisions based on the Client-IP-Address)
Thanks,
Brian.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
More information about the Freeradius-Users
mailing list