Tracing access request chain
I'm trying to trace an access attempt that occurred today so that I can categorically say to a user that you were successfully connected to our network, or not, whatever the case maybe. However I'm struggling to create a chain of events by going through the logs. I can see by grepping the logs in the radacct folder that the user sent the access-request. The results are in both the auth-detail and the pre-proxy-detail logs. From there I can see in my internal radius servers that the access was accepted, but I cannot find any reference to the user, or the any of the incoming conversation in the outgoing logs like post-proxy, or reply. I was hoping I'd see a reference to the username and Access-Accept or similar. Can someone please help me out by letting me know if there is one common string that will help me trace one request incoming and outgoing? Cheers, Andi ________________________________
From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o'r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Hi,
I can see by grepping the logs in the radacct folder that the user sent the access-request. The results are in both the auth-detail and the pre-proxy-detail logs. From there I can see in my internal radius servers that the access was accepted, but I cannot find any reference to the user, or the any of the incoming conversation in the outgoing logs like post-proxy, or reply. I was hoping I’d see a reference to the username and Access-Accept or similar.
you're not doing any accounting? the accounting packets would have the user-name, IP address, MAC address etc in the accounting packets - the present of these shows tha the client is online and doing things. the reply-detail log should have the user-name alongside the Access-Accept for basic success/fail, the basic "auth = yes" in the log [] section of radiusd.conf will show the 'Login OK' and 'Invalid user' messages for each user-name alan
Cheers Alan, I'll investigate that. I don't know why accounting wouldn't be turned on as I didn't set this server up initially. Andi -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk@lists.freeradius.org] On Behalf Of Alan Buxey Sent: 08 March 2012 22:49 To: FreeRadius users mailing list Subject: Re: Tracing access request chain Hi,
I can see by grepping the logs in the radacct folder that the user sent the access-request. The results are in both the auth-detail and the pre-proxy-detail logs. From there I can see in my internal radius servers that the access was accepted, but I cannot find any reference to the user, or the any of the incoming conversation in the outgoing logs like post-proxy, or reply. I was hoping I’d see a reference to the username and Access-Accept or similar.
you're not doing any accounting? the accounting packets would have the user-name, IP address, MAC address etc in the accounting packets - the present of these shows tha the client is online and doing things. the reply-detail log should have the user-name alongside the Access-Accept for basic success/fail, the basic "auth = yes" in the log [] section of radiusd.conf will show the 'Login OK' and 'Invalid user' messages for each user-name alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
On 03/08/2012 04:44 PM, Morris, Andi wrote:
I’m trying to trace an access attempt that occurred today so that I can categorically say to a user that you were successfully connected to our network, or not, whatever the case maybe. However I’m struggling to create a chain of events by going through the logs.
I can see by grepping the logs in the radacct folder that the user sent the access-request. The results are in both the auth-detail and the pre-proxy-detail logs. From there I can see in my internal radius servers that the access was accepted, but I cannot find any reference to the user, or the any of the incoming conversation in the outgoing logs like post-proxy, or reply. I was hoping I’d see a reference to the username and Access-Accept or similar.
Well, is the server setup to log auth responses? post-auth { ... detail ... } ?
Can someone please help me out by letting me know if there is one common string that will help me trace one request incoming and outgoing?
Not really. For example: Fri Mar 9 00:06:17 2012 Packet-Type = Access-Accept Class = 0x77... MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x23... MS-MPPE-Recv-Key = 0x2b... EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "mmm" Note there's not much here; nothing which will tell you what the corresponding request is. You can possibly GUESS, based on the reply User-Name (if present - EAP only, typically) and the fact that, probably (hopefully) your detail files are per-NAS. On that topic; I do occasionally wonder if it wouldn't make sense for "detail" files to have an unambiguous item tying the request to a reply, because it can be tricky at times, especially on a busy NAS. FreeRADIUS-Correlation-Id = 192.0.1.1-3253523-1 Hmm. I bet you can do that with unlang; interesting...
Phil Mayers wrote:
On that topic; I do occasionally wonder if it wouldn't make sense for "detail" files to have an unambiguous item tying the request to a reply, because it can be tricky at times, especially on a busy NAS.
FreeRADIUS-Correlation-Id = 192.0.1.1-3253523-1
Hmm. I bet you can do that with unlang; interesting...
Yup update reply { FreeRADIUS-Correlation-Id = "%{Packet-Src-IP-Address}-%{Packet-Src-Port}... } Alan DeKok.
participants (4)
-
Alan Buxey -
Alan DeKok -
Morris, Andi -
Phil Mayers