Tracing access request chain

Phil Mayers p.mayers at imperial.ac.uk
Fri Mar 9 10:29:55 CET 2012


On 03/08/2012 04:44 PM, Morris, Andi wrote:
> I’m trying to trace an access attempt that occurred today so that I can
> categorically say to a user that you were successfully connected to our
> network, or not, whatever the case maybe. However I’m struggling to
> create a chain of events by going through the logs.
>
> I can see by grepping the logs in the radacct folder that the user sent
> the access-request. The results are in both the auth-detail and the
> pre-proxy-detail logs. From there I can see in my internal radius
> servers that the access was accepted, but I cannot find any reference to
> the user, or the any of the incoming conversation in the outgoing logs
> like post-proxy, or reply. I was hoping I’d see a reference to the
> username and Access-Accept or similar.

Well, is the server setup to log auth responses?

post-auth {
   ...
   detail
   ...
}

?

>
> Can someone please help me out by letting me know if there is one common
> string that will help me trace one request incoming and outgoing?

Not really. For example:

Fri Mar  9 00:06:17 2012
         Packet-Type = Access-Accept
         Class = 0x77...
         MS-MPPE-Encryption-Policy = 0x00000001
         MS-MPPE-Encryption-Types = 0x00000006
         MS-MPPE-Send-Key = 0x23...
         MS-MPPE-Recv-Key = 0x2b...
         EAP-Message = 0x03090004
         Message-Authenticator = 0x00000000000000000000000000000000
         User-Name = "mmm"

Note there's not much here; nothing which will tell you what the 
corresponding request is. You can possibly GUESS, based on the reply 
User-Name (if present - EAP only, typically) and the fact that, probably 
(hopefully) your detail files are per-NAS.

On that topic; I do occasionally wonder if it wouldn't make sense for 
"detail" files to have an unambiguous item tying the request to a reply, 
because it can be tricky at times, especially on a busy NAS.

	FreeRADIUS-Correlation-Id = 192.0.1.1-3253523-1

Hmm. I bet you can do that with unlang; interesting...


More information about the Freeradius-Users mailing list