Detailed Logging freeradius Request Packets
Hi, I've tried to find a way of detail logging the packets sent by freeradius to the client in the authentication phase but didn't found a way of doing it. Maybe I've not looked correctly so I'm asking if it's actually possible? I was able to log detailed packets sent by the client (Response packets) but not the ones sent by freeradius to the client (except accounting and proxied ones). Thanks for your time. Jean-François Mousinho
Jean-Francois Mousinho wrote:
I've tried to find a way of detail logging the packets sent by freeradius to the client in the authentication phase but didn't found a way of doing it. Maybe I've not looked correctly so I'm asking if it's actually possible?
Yes.
I was able to log detailed packets sent by the client (Response packets) but not the ones sent by freeradius to the client (except accounting and proxied ones).
raddb/modules/detail.log Alan DeKok.
On Sun, 2010-10-10 at 08:50 +0200, Alan DeKok wrote:
Jean-Francois Mousinho wrote:
I've tried to find a way of detail logging the packets sent by freeradius to the client in the authentication phase but didn't found a way of doing it. Maybe I've not looked correctly so I'm asking if it's actually possible?
Yes.
I was able to log detailed packets sent by the client (Response packets) but not the ones sent by freeradius to the client (except accounting and proxied ones).
raddb/modules/detail.log
auth_log is activated in detail.log, and in the authorize section of sites-enabled/default. Example of packet exchange... Sequence in the freeradius logs gives (grep'ed Message-Authenticator): Message-Authenticator = 0x8af956293cf49787a8a291406ea9de91 Message-Authenticator = 0xefb5ce8677fa2bbfbae3eca96071cd45 Message-Authenticator = 0x8ccbc2c39bf018909859bb683ca8c058 ... In the eapol_test supplicant, I got the following (also grep'ed): Attribute 80 (Message-Authenticator) length=18 Value: 8a f9 56 29 3c f4 97 87 a8 a2 91 40 6e a9 de 91 Attribute 80 (Message-Authenticator) length=18 Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f Attribute 80 (Message-Authenticator) length=18 Value: ef b5 ce 86 77 fa 2b bf ba e3 ec a9 60 71 cd 45 Attribute 80 (Message-Authenticator) length=18 Value: 67 20 0e f4 6e 13 09 b7 4c 6c f2 4f 81 1f a9 70 So the message *3f (and others are not logged). The message 3f in eapol_test output: Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=86 Attribute 1 (User-Name) length=22 Value: ... Attribute 79 (EAP-Message) length=8 Value: 01 01 00 06 19 20 Attribute 80 (Message-Authenticator) length=18 Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f Attribute 24 (State) length=18 Value: e6 3d 08 c0 e6 3c 11 c3 1a d2 99 89 61 b8 e9 51 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec So this message, the Access-Challenge messages are not logged, although the Access-Accept are logged. I should have said I want to log Access-Challenge messages, would be more correct. Thanks for your time. Jean-François Mousinho
Jean F. Mousinho wrote:
So this message, the Access-Challenge messages are not logged, although the Access-Accept are logged.
I should have said I want to log Access-Challenge messages, would be more correct.
That's a bit harder. Put this in the "authenticate" section, to replace the "eap" line: Auth-Type eap { eap { handled = 1 } if (handled) { auth_log.post-auth } } That should do the trick. Alan DeKok.
Hi there!
So this message, the Access-Challenge messages are not logged, although the Access-Accept are logged.
I should have said I want to log Access-Challenge messages, would be more correct.
That's a bit harder. Put this in the "authenticate" section, to replace the "eap" line:
Auth-Type eap { eap { handled = 1 } if (handled) { auth_log.post-auth } }
That should do the trick. Alan DeKok. I found this thread in 2019 (10 years after that, I hope that I hacked headers good enough to glue this message to old thread) to achieve the same goal with a slightly more complex situation.
Original unlang code was: ========== Auth-Type eap { eap perl } ========== So if you just use the recipe as-is you would encounter perl being invoked on every single EAP conversation cycle. To overcome this, one might want to use an upgraded version of the original idea: ========== Auth-Type eap { eap { handled = 9999 } if (handled) { auth_log.post-auth return } perl } ========== Increased priority for handled return code is there just in case we would have something **above** eap that could emit OK/NOOP/UPDATED/etc which have higher priority. OK returned by auth_log.post-auth would be overridden by handled priority as well. Before using this magic, please take a look on doc/configuration/configurable_failover.rst in FreeRADIUS sources to understand what's going on here, it takes a while to settle the things down. :) -- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671
On Oct 27, 2019, at 12:25 PM, Boris Lytochkin <lytboris@yandex-team.ru> wrote:
I found this thread in 2019 (10 years after that, I hope that I hacked headers good enough to glue this message to old thread) to achieve the same goal with a slightly more complex situation.
In 3.0.19 (or some earlier versions, too), there is a section just for Access-Challenge. See sites-available/default: ... # # Filter access challenges. # Post-Auth-Type Challenge { # remove_reply_message_if_eap # attr_filter.access_challenge.post-auth } ...
Before using this magic, please take a look on doc/configuration/configurable_failover.rst in FreeRADIUS sources to understand what's going on here, it takes a while to settle the things down. :)
Or just use newer features. :) Alan DeKok.
Hi. On 28.10.2019 0:32, Alan DeKok wrote:
On Oct 27, 2019, at 12:25 PM, Boris Lytochkin <lytboris@yandex-team.ru> wrote:
I found this thread in 2019 (10 years after that, I hope that I hacked headers good enough to glue this message to old thread) to achieve the same goal with a slightly more complex situation. In 3.0.19 (or some earlier versions, too), there is a section just for Access-Challenge. See sites-available/default:
...
# # Filter access challenges. # Post-Auth-Type Challenge { # remove_reply_message_if_eap # attr_filter.access_challenge.post-auth } ... We'll meet again. In 10 years, probably :) Thanks for the hint, will try it out once we move to 3.0.19+
-- Boris Lytochkin Yandex NOC +7 (495) 739 70 00 ext. 7671
participants (4)
-
Alan DeKok -
Boris Lytochkin -
Jean F. Mousinho -
Jean-Francois Mousinho