Logging authentication attempts while TLS session resumption (caching) is enabled

Alan DeKok aland at deployingradius.com
Mon Dec 15 16:45:24 CET 2008

Jason Wittlin-Cohen wrote:
> When authenticating via PEAP or TTLS with an anonymous identity, the log
> shows both the anonymous identity and the real identity tunneled through
> the TLS tunnel. However, when TLS session resumption (caching) is
> enabled, only the anonymous identity is logged. This is presumably due
> to the fact that the user is not actually sending the real ID and
> password through the tunnel; rather the saved session is being used.
> However, being that the tunneled username is still available, and
> obtained from the cache, it should be available to log. Is this the
> intended behavior? 

  The server hasn't been updated to log the cached user name.

> It would seem that logging authentication attempts
> would be more useful if the real username was provided in addition to
> the anonymous identity.


  As always, patches are welcome.

  Alan DeKok.

More information about the Freeradius-Users mailing list