On 21/04/16 14:02, Christian Strauf wrote:
but I don't see anything useful. Do you guys happen to know a suitable way of creating such a FreeRADIUS-Correlationa-Id that's unique for an Access-Request-...-Access-Accept exchange? I'm not sure whether the NAS will also include the attribute in all its later
As others have pointed out, this is tricky in current versions of the server. We have a rather complex set of policy that tries to "emulate" a "session" value, and a bunch of log searching scripts that are semi-smart in matching these request together. Some NAS vendors help you out here, by including attributes that let you correlate. For example, Cisco have: Cisco-AVPair = "audit-session-id=xxx" ...which is a very helpful attribute. Our (large) unlang policy for request/reply logging looks something like this: https://gist.github.com/philmayers/ae14614c1f13eb2f3fb7d0c253ac7fb7 This is basically a load of unlang that tries to emulate a "session" value into the (locally-defined) "Req-Session" variable. It then calls the linelog instances "reqlog" and "replog" to log a load of data from the request & reply, such as source/nas IP, Req-Session, the Req-Auth-Info (which includes the first bytes of the first EAP-Message AVP, from which you can extract EAP type and frame length), Module-Failure-Message, Reply-Message, and similar. It also ties the inner and outer together. The post-processing script is too big to post here and too integated with our systems, but it's basically a two-pass search a-la exigrep or similar - first search for matches of the search string, extracting the Req-Session, then do a 2nd pass, extracting all lines for that Req-Session. The script then post-processes the lines, extracting EAP IDs, frame times, making some intelligent guesses (you can spot the MSCHAP auth in a PEAP session from length) and generally prettying it up. It does some detection of half-complete EAP exchanges by the absence of the inner. It's helpful, but the server could make this so, so much easier by allocating a "session" to every packet received, either a new one or the previous one (keyed by State). Even for PAP requests. Cheers, Phil