Detailed Logging freeradius Request Packets

Jean F. Mousinho jean.mousinho at ist.utl.pt
Mon Oct 11 16:56:59 CEST 2010 

On Sun, 2010-10-10 at 08:50 +0200, Alan DeKok wrote:
> Jean-Francois Mousinho wrote:
> > I've tried to find a way of detail logging the packets sent by
> > freeradius to the client in the authentication phase but didn't found a
> > way of doing it. Maybe I've not looked correctly so I'm asking if it's
> > actually possible?
> 
>   Yes.
> 
> > I was able to log detailed packets sent by the client (Response packets)
> > but not the ones sent by freeradius to the client (except accounting and
> > proxied ones).
> 
>   raddb/modules/detail.log

auth_log is activated in detail.log, and in the authorize section of
sites-enabled/default.

Example of packet exchange...

Sequence in the freeradius logs gives (grep'ed Message-Authenticator):

  Message-Authenticator = 0x8af956293cf49787a8a291406ea9de91
  Message-Authenticator = 0xefb5ce8677fa2bbfbae3eca96071cd45
  Message-Authenticator = 0x8ccbc2c39bf018909859bb683ca8c058
  ...

In the eapol_test supplicant, I got the following (also grep'ed):

   Attribute 80 (Message-Authenticator) length=18
      Value: 8a f9 56 29 3c f4 97 87 a8 a2 91 40 6e a9 de 91
   Attribute 80 (Message-Authenticator) length=18
      Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f
   Attribute 80 (Message-Authenticator) length=18
      Value: ef b5 ce 86 77 fa 2b bf ba e3 ec a9 60 71 cd 45
   Attribute 80 (Message-Authenticator) length=18
      Value: 67 20 0e f4 6e 13 09 b7 4c 6c f2 4f 81 1f a9 70

So the message *3f (and others are not logged). The message 3f in
eapol_test output:

Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=86
   Attribute 1 (User-Name) length=22
      Value:  ...
   Attribute 79 (EAP-Message) length=8
      Value: 01 01 00 06 19 20
   Attribute 80 (Message-Authenticator) length=18
      Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f
   Attribute 24 (State) length=18
      Value: e6 3d 08 c0 e6 3c 11 c3 1a d2 99 89 61 b8 e9 51
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec

So this message, the Access-Challenge messages are not logged, although
the Access-Accept are logged.

I should have said I want to log Access-Challenge messages, would be
more correct.

Thanks for your time.

Jean-François Mousinho

More information about the Freeradius-Users mailing list