On Nov 15, 2024, at 9:27 AM, Dominic Stalder <dominic.stalder@bluewin.ch> wrote:
You do not have to guess / suspect, I am pretty sure it is on our side, but it is hard do find this needle in a haystack in this kind of big setup. Strangely it was only related to this explicit thread "Add TLS version to logs with linelog in FreeRADIUS 3.2.4".
OK.
(188) eap_peap: (TLS) PEAP - Connection Established (188) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" (188) eap_peap: TLS-Session-Version = "TLS 1.2"
Why the f**k did I miss this in version 3.2.4? Or was it maybe "reintroduced" in 3.2.6 since I upgraded to this version lately; is is this another “SSL thing” patched by Nick?]
"git annotate" state the TLS-Session-Version code was added in August 2018.
- More debugging for SSL ciphers. Patch from Nick Porter.
Nonetheless, I am going to figure out how adjust my linelog module configuration to get it back into the logs, because at the moment I still see NULL (example):
It's not a matter of "adjusting" things. It's figuring out where in the call flow the attribute is defined, and then accessing it after that.
linelog 802.1x_authz_log {
If you're logging this in the "authorize" phase, then it generally won't work. The TLS variables are defined after that. Instead, log things in the "post-auth" phase. You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then. Alan DeKok.