Tweaking LDAP parameters

Matthew Newton mcn4 at leicester.ac.uk
Wed Apr 13 15:29:43 CEST 2016


On Wed, Apr 13, 2016 at 02:10:14PM +0100, David Hartburn wrote:
> Sorry to waste time, but do you mean the full log from doing a 'radius -X'?

That's what contains the required information.

> I want to clarify because on a production server that will be a huge log. I
> am happy to produce it though.

Depending on the problem, you can sometimes be more specific about
what you log by using radmin. First run radiusd -X and capture the
output to the end of the startup (when it reports about Listening
for packets). That grabs all the useful config information.

Then you use radmin to capture auth information for a particular
client. There's some information on the FR web page:
http://freeradius.org/radiusd/man/radmin.html

I did a post on how you can filter out by attribute a while back:
http://notes.asd.me.uk/2014/09/16/debugging-freeradius-packets-with-radmin/

But the best way really is to reproduce it on a test RADIUS
server with one or two clients. That doesn't have to be hard -
a great way is to add proxy config to your production servers over
to a test server. When you want to capture something like this,
just proxy particular client(s) over using unlang to select based
on some attributes. Could be MAC address, realm, SSID, location
etc. Makes testing things much easier and more flexible, and of
course the debug logs on the test server will be smaller.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list