Logging authentication attempts while TLS session resumption (caching) is enabled
Alan DeKok
aland at deployingradius.com
Mon Dec 15 16:45:24 CET 2008
Jason Wittlin-Cohen wrote:
> When authenticating via PEAP or TTLS with an anonymous identity, the log
> shows both the anonymous identity and the real identity tunneled through
> the TLS tunnel. However, when TLS session resumption (caching) is
> enabled, only the anonymous identity is logged. This is presumably due
> to the fact that the user is not actually sending the real ID and
> password through the tunnel; rather the saved session is being used.
> However, being that the tunneled username is still available, and
> obtained from the cache, it should be available to log. Is this the
> intended behavior?
The server hasn't been updated to log the cached user name.
> It would seem that logging authentication attempts
> would be more useful if the real username was provided in addition to
> the anonymous identity.
Yes.
As always, patches are welcome.
Alan DeKok.
More information about the Freeradius-Users
mailing list