EAP logging

Robert Franklin rcf34 at cam.ac.uk
Thu Aug 29 11:53:56 CEST 2013


On 28 Aug 2013, at 23:39, Andrej <andrej.groups at gmail.com> wrote:

> I would like f_ticks to write out a single line into syslog that
> contains the inner and outer
> identity of an authentication request, the station ID and MAC address.
> 
> In case of a successful authentication or rejection I'd like to have
> the inner identity and a status on a line,

We do this by using lots of custom linelog instances.  In linelog.conf (just a few examples):

linelog acceptlog {
	filename = "/var/log/radius/auth-%D.log"

	format = "%S (%l) id %I ACCEPT %{User-Name} (station %{%{Calling-Station
-Id}:--}) auth-type %{control:Auth-Type}/%{EAP-Type} realm %{%{Realm}:--} nas %{
%{NAS-IP-Address}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{O
perator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Addres
s}:--}} (%{Client-Shortname}) ap '%{%{UCam-AP-Name}:--}' essid '%{%{UCam-Essid-N
ame}:--}' => %{%{reply:User-Name}:--} reply-msg '%{reply:Reply-Message}'"
}

linelog inner-acceptlog {
	filename = "/var/log/radius/auth-%D.log"

	format = "%S (%l) id %I INNER-TUNNEL ACCEPT %{User-Name} (station %{%{ou
ter.request:Calling-Station-Id}:--}) outer-id %{outer.request:User-Name} auth-ty
pe %{outer.control:Auth-Type}/%{outer.request:EAP-Type}/%{control:Auth-Type} rea
lm %{%{Realm}:--} nas %{%{outer.request:NAS-IP-Address}:-%{%{outer.request:NAS-I
Pv6-Address}:--}}/%{%{outer.request:NAS-Port}:--} (operator %{%{outer.request:Op
erator-Name}:--}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address
}:--}} (%{Client-Shortname}) ap '%{%{outer.request:UCam-AP-Name}:--}' essid '%{%
{outer.request:UCam-Essid-Name}:--}' => %{%{reply:User-Name}:--} reply-msg '%{re
ply:Reply-Message}'"
}

linelog proxy-replylog {
	filename = "/var/log/radius/auth-%D.log"

	format = "%S (%l) id %I PROXY REPLY %{User-Name} (station %{%{Calling-St
ation-Id}:--}) auth-type /%{EAP-Type} realm %{%{Realm}:--} nas %{%{NAS-IP-Addres
s}:-%{%{NAS-IPv6-Address}:--}-}/%{%{NAS-Port}:--} (operator %{%{Operator-Name}:-
-}) client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Clie
nt-Shortname}) proxy %{%{proxy-reply:Packet-Src-IP-Address}:-%{%{proxy-reply:Pac
ket-Src-IPv6-Address}:--}} proxy-reply-type %{proxy-reply:Packet-Type} proxy-rep
ly-msg '%{proxy-reply:Reply-Message}' => %{%{proxy-reply:User-Name}:--}"
}


We call them as follows:


[default]

post-proxy {
  ...
  proxy-replylog
  ...
}

post-auth {
  ...
  acceptlog
  ...
}


[inner-tunnel]

post-auth {
  ...
  inner-acceptlog
  ...
}


There are some references to %{UCam-AP-Name} and things in there -- we set these with things like:

  if ("%{Aruba-Location-Id}") {
    update request {
      UCam-AP-Name := "%{Aruba-Location-Id}"
      UCam-Essid-Name := "%{Aruba-Essid-Name}"
    }
  }

... they let us not refer to the direct Aruba attributes and would allow us to more easily add another wireless system (we used to have Cisco but migrated away) - if we had to move again, we don't have lots of Cisco-specific bits all over the place.  Note that the attributes are defined in 'dictionary'.


The above stuff will give lines like:

2013-08-29 10:53:02 (1377769982) id 175 INNER-TUNNEL ACCEPT rcf34 at cam.ac.uk (station 0015AF81CEB3) outer-id @cam.ac.uk auth-type EAP/PEAP/EAP realm LOCAL nas 131.111.1.20/0 (operator 1lapwing.cam.ac.uk) client 131.111.1.20 (errigal at lapwing.cam.ac.uk) ap '00:24:6c:c3:24:fd' essid 'eduroam' => rcf34 reply-msg '[cam.ac.uk] Successful authentication <ACCEPT>'

[example from inner-acceptlog.]


Hope this helps,

  - Bob


-- 
 Bob Franklin <rcf34 at cam.ac.uk>              +44 1223 748479
 Network Division, University of Cambridge Computing Service



More information about the Freeradius-Users mailing list