Correlating Access-Requests and Replys

Christian Strauf strauf at rz.tu-clausthal.de
Thu Apr 21 15:02:06 CEST 2016


Hi all,

we're trying to use an ELK stack (Elasticsearch, Logstash & Kibana) to monitor the performance of our FreeRADIUS 3.0.11 servers which rely on a number of external servers (database, directory etc.). We'd basically like to figure out the elapsed time between first Access-Request and the final Access-Accept (or Access-Reject for that matter). A prerequisite for this is that we can actually correlate Access-Requests and replies by the RADIUS server. I searched a little and found a post by Alan DeKok from 2012 on a very similar matter. The problem is that there's nothing much you can use to correlate an Access-Request reliably to the answers by the RADIUS server. Alan suggested adding a reply item to the reply:

update reply { 
	FreeRADIUS-Correlation-Id = "%{Packet-Src-IP-Address}-%{Packet-Src-Port}...
  }


I like the idea (you can probably even update the original request with that FreeRADIUS-Correlation-Id before logging it), however, I need some help with the "..." part of the above config snippet. Src IP and src port unfortunately aren't unique enough (the same NAS sends all requests from the same source port). I looked through dictionary.freeradius.internal to find some suitable attribute that isn't part of the original request and that would add some uniqueness but I don't see anything useful. Do you guys happen to know a suitable way of creating such a FreeRADIUS-Correlationa-Id that's unique for an Access-Request-...-Access-Accept exchange? I'm not sure whether the NAS will also include the attribute in all its later request packets. Do you happen to know if this is the case?

The approach with a correlation ID has one more disadvantage: according to RFC 2865, Access-Reject messages mustn't include such attributes. So this leaves us with the problem how to correlate rejects.

This leads me to this question: FreeRADIUS obviously keeps track internally which reply correlates to which request. Is there any way to include some hint to this correlation via a FreeRADIUS-internal attribute which in turn could be logged in auth-detail or reply-detail files? Any help would be highly appreciated.

Kind regards,
Christian Strauf
-- 
Dipl.-Math. Christian Strauf
Clausthal University of Techn.  E-Mail: strauf at rz.tu-clausthal.de
Rechenzentrum                   Web:    www.rz.tu-clausthal.de
Erzstraße 51                    Tel.:   +49-5323-72-2086 Fax: -992086
D-38678 Clausthal-Zellerfeld



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2172 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160421/99ec1698/attachment-0001.bin>


More information about the Freeradius-Users mailing list