logging auth failures with inner identity
Hi list, I'm working on setting up FreeRad logging and I'm stuck on how to capture the EAP inner identity when an authentication fails. * I can capture auth requests coming in (in authorize section of outer site) * I can capture auth successes and failures (in outer site:post-auth) * I can capture successful auths in the EAP:TLS inner site But - when an EAP-TLS auth fails (eg on cert expired, not trusted, revoked) then it appears that the inner site is not called at all. I've put relevant log lines in TLS-inner:post-auth (and authenticate and authorize) but it appears that none of these are called. Any idea how I can access the inner username (in the case of TLS I'm after the SAN UPN of the client certificate) in a failed auth attempt? Thanks, Jim Potter Jisc Config snippets FWIW: server home { authorize { log_auth_req eap } post-auth { log_auth_accept Post-Auth-Type REJECT { log_auth_reject } } } eap { tls { virtual_server = eap-inner } } server eap-inner { authorize { log_inner } authenticate { log_inner } post-auth { log_inner Post-Auth-Type REJECT { log_inner } } }
On 12/11/2024 09:05, James Potter via Freeradius-Users wrote:
I'm working on setting up FreeRad logging and I'm stuck on how to capture the EAP inner identity when an authentication fails.
* I can capture auth requests coming in (in authorize section of outer site) * I can capture auth successes and failures (in outer site:post-auth) * I can capture successful auths in the EAP:TLS inner site
But - when an EAP-TLS auth fails (eg on cert expired, not trusted, revoked) then it appears that the inner site is not called at all. I've put relevant log lines in TLS-inner:post-auth (and authenticate and authorize) but it appears that none of these are called. Any idea how I can access the inner username (in the case of TLS I'm after the SAN UPN of the client certificate) in a failed auth attempt?
You're right, the inner virtual server is not called for EAP-TLS, there is no inner tunnel. There are examples of attributes you can log in the default post-auth section. https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-avai... You could also add "debug_all" to the outer post-auth and run the server in debug mode. You should see all attributes that are available. -- Matthew
participants (2)
-
James Potter -
Matthew Newton