EAP logging
Robert Franklin
rcf34 at cam.ac.uk
Thu Aug 29 11:53:56 CEST 2013
On 28 Aug 2013, at 23:39, Andrej <andrej.groups at gmail.com> wrote:
> I would like f_ticks to write out a single line into syslog that
> contains the inner and outer
> identity of an authentication request, the station ID and MAC address.
>
> In case of a successful authentication or rejection I'd like to have
> the inner identity and a status on a line,
We do this by using lots of custom linelog instances. In linelog.conf (just a few examples):
linelog acceptlog {
filename = "/var/log/radius/auth-%D.log"
format = "%S (%l) id %I ACCEPT %{User-Name} (station %{%{Calling-Station
-Id}:--}) auth-type %{control:Auth-Type}/%{EAP-Type} realm %{%{Realm}:--} nas %{
%{NAS-IP-Address}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{O
perator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Addres
s}:--}} (%{Client-Shortname}) ap '%{%{UCam-AP-Name}:--}' essid '%{%{UCam-Essid-N
ame}:--}' => %{%{reply:User-Name}:--} reply-msg '%{reply:Reply-Message}'"
}
linelog inner-acceptlog {
filename = "/var/log/radius/auth-%D.log"
format = "%S (%l) id %I INNER-TUNNEL ACCEPT %{User-Name} (station %{%{ou
ter.request:Calling-Station-Id}:--}) outer-id %{outer.request:User-Name} auth-ty
pe %{outer.control:Auth-Type}/%{outer.request:EAP-Type}/%{control:Auth-Type} rea
lm %{%{Realm}:--} nas %{%{outer.request:NAS-IP-Address}:-%{%{outer.request:NAS-I
Pv6-Address}:--}}/%{%{outer.request:NAS-Port}:--} (operator %{%{outer.request:Op
erator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address
}:--}} (%{Client-Shortname}) ap '%{%{outer.request:UCam-AP-Name}:--}' essid '%{%
{outer.request:UCam-Essid-Name}:--}' => %{%{reply:User-Name}:--} reply-msg '%{re
ply:Reply-Message}'"
}
linelog proxy-replylog {
filename = "/var/log/radius/auth-%D.log"
format = "%S (%l) id %I PROXY REPLY %{User-Name} (station %{%{Calling-St
ation-Id}:--}) auth-type /%{EAP-Type} realm %{%{Realm}:--} nas %{%{NAS-IP-Addres
s}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{Operator-Name}:-
-}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Clie
nt-Shortname}) proxy %{%{proxy-reply:Packet-Src-IP-Address}:-%{%{proxy-reply:Pac
ket-Src-IPv6-Address}:--}} proxy-reply-type %{proxy-reply:Packet-Type} proxy-rep
ly-msg '%{proxy-reply:Reply-Message}' => %{%{proxy-reply:User-Name}:--}"
}
We call them as follows:
[default]
post-proxy {
...
proxy-replylog
...
}
post-auth {
...
acceptlog
...
}
[inner-tunnel]
post-auth {
...
inner-acceptlog
...
}
There are some references to %{UCam-AP-Name} and things in there -- we set these with things like:
if ("%{Aruba-Location-Id}") {
update request {
UCam-AP-Name := "%{Aruba-Location-Id}"
UCam-Essid-Name := "%{Aruba-Essid-Name}"
}
}
... they let us not refer to the direct Aruba attributes and would allow us to more easily add another wireless system (we used to have Cisco but migrated away) - if we had to move again, we don't have lots of Cisco-specific bits all over the place. Note that the attributes are defined in 'dictionary'.
The above stuff will give lines like:
2013-08-29 10:53:02 (1377769982) id 175 INNER-TUNNEL ACCEPT rcf34 at cam.ac.uk (station 0015AF81CEB3) outer-id @cam.ac.uk auth-type EAP/PEAP/EAP realm LOCAL nas 131.111.1.20/0 (operator 1lapwing.cam.ac.uk) client 131.111.1.20 (errigal at lapwing.cam.ac.uk) ap '00:24:6c:c3:24:fd' essid 'eduroam' => rcf34 reply-msg '[cam.ac.uk] Successful authentication <ACCEPT>'
[example from inner-acceptlog.]
Hope this helps,
- Bob
--
Bob Franklin <rcf34 at cam.ac.uk> +44 1223 748479
Network Division, University of Cambridge Computing Service
More information about the Freeradius-Users
mailing list