Logging EAP-TLS certificate details

Matthew Newton mcn at freeradius.org
Wed Mar 24 12:00:47 CET 2021



On 24/03/2021 02:43, Roberto.Franceschetti at ocfl.net wrote:
> Luckily freeradius is the beauty that it is, and we were able to customize it to log what should be logged out-of-the-box.

So the summary is:

- FreeRADIUS is very configurable and lets you do pretty much anything 
you want

- FreeRADIUS ships with a default config which works in a lot of 
situations out of the box

- Whoever is installing FreeRADIUS still has to configure it, and 
understand what they are doing

- You installed it and didn't understand what you were doing, and had a 
wow revelation moment when you realised your configuration was wrong

- You learnt something

- You fixed your config so it worked

- You're blaming the FreeRADIUS devs for not catering for your exact 
situation.

That's hardly fair.

FreeRADIUS will work in a huge number of situations. The default config 
works in a lot, but will always need to be configured. We do a lot of 
installs with ISPs and broadband setups. They often send critical 
Circuit ID information in all sorts of random attributes that needs 
logging and I have to configure FreeRADIUS to log it, often for 
regulatory auditing purposes.

In the same way that I don't blame the default config for not working 
perfectly out of the box in every situation I use it in, I also don't 
blame the default config for not logging the exact information that I 
wanted it to log.

Instead I look at the incoming requests, think "according to the 
requirements, what needs logging here?" and change the config so that it 
does what is needed, then test to make sure everything is working as it 
should.

-- 
Matthew


More information about the Freeradius-Users mailing list