On 12/11/2024 09:05, James Potter via Freeradius-Users wrote:
I'm working on setting up FreeRad logging and I'm stuck on how to capture the EAP inner identity when an authentication fails.
* I can capture auth requests coming in (in authorize section of outer site) * I can capture auth successes and failures (in outer site:post-auth) * I can capture successful auths in the EAP:TLS inner site
But - when an EAP-TLS auth fails (eg on cert expired, not trusted, revoked) then it appears that the inner site is not called at all. I've put relevant log lines in TLS-inner:post-auth (and authenticate and authorize) but it appears that none of these are called. Any idea how I can access the inner username (in the case of TLS I'm after the SAN UPN of the client certificate) in a failed auth attempt?
You're right, the inner virtual server is not called for EAP-TLS, there is no inner tunnel. There are examples of attributes you can log in the default post-auth section. https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-avai... You could also add "debug_all" to the outer post-auth and run the server in debug mode. You should see all attributes that are available. -- Matthew