Question about Logging

Aaron Spanik a.spanik at ns.sympatico.ca
Sat Aug 23 01:00:32 CEST 2008 

I apologize in advance if this question is answered in the
documentation, but if it is, I haven't been able to find it.

I have the following setup:

- Client daemon running on host A

- FreeRADIUS 2.0.4 server running on host A proxying auth requests

- Two Remote RADIUS servers serving authentication from a load-balanced
  pool

- The client daemon sends authentication requests to the FreeRADIUS
  server with a username and password over loopback.

- The FreeRADIUS server receives the Access-Request and proxies it
  to the remote RADIUS servers.

- Responses from the RADIUS server are proxied back to the client
  daemon for action.

- Accounting records are sent by the client daemon, however they are
  "swallowed" by the FreeRADIUS server (always ok) as accounting is not
  being used at this point.

The first thing I will mention is that this I do not have any issue
with this configuration; i.e. it works exactly the way it's supposed to.
Recently, however, there has been reason to suspect that the two remote
RADIUS servers are behaving inconsistently with each other (i.e. auth
fails on one and then immediately succeeds on the other).
Unfortunately, I have zero access to the remote RADIUS servers and
limited access to the folks who could tell me whether something is, in
fact, wrong with the remote configuration.

In order to provide statistics on my end or at least look for trends, I
would like to keep track of what remote server a given request is
proxied to, but I can't seem to find an easy way of doing it:

- I have auth_logging turned on so that my radius.log file contains
  basic Yay/Nay information about a particular auth request, but the IP
  of the server the request was proxied to is not included.

- I have detail configured for auth-detail, pre-proxy-detail,
  post-proxy-detail, and reply-detail.  All are pretty much stock
  except I put the User-Name into the header in a couple of them.

None of these show the IP of the particular home server that a given
request was sent to.  I do understand that I can get this information
if I run a full debug trace, however this is a production system and I
don't need all that information, just one little piece, nor do I want
to run a production server outputting to stdout.

I have also peeled through all the dictionary files looking for an
appropriate RADIUS Attribute which I could use.  I found
Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in
any of the detail sections, as they all returned 127.0.0.1, which makes
some sense to me given the initial source and destination of the
request packets; I'm also pretty sure I shouldn't be using parameters
from dictionary.freeradius.internal this way.  I also found
FreeRADIUS-Proxied-To, however it appears that's only for accounting
packets.

So my question is this:  short of editing the source to make the
auth_log pop the home server being contacted into the loglines in
radius.log, is there any way to get that information on a per-request
basis?  Is there some unlang magic I could work in the pre- or
post-processing phases?  It doesn't really matter to me where the
information goes, as long as I can associate it with a particular
request.

Thanks,

/a

-- 
Aaron Spanik
a.spanik at ns.sympatico.ca

More information about the Freeradius-Users mailing list