Correlating Access-Requests and Replys

Matthew Newton mcn4 at leicester.ac.uk
Thu Apr 21 15:35:24 CEST 2016


On Thu, Apr 21, 2016 at 01:02:06PM +0000, Christian Strauf wrote:
> we're trying to use an ELK stack (Elasticsearch, Logstash &
> Kibana) to monitor the performance of our FreeRADIUS 3.0.11
> servers which rely on a number of external servers (database,
> directory etc.).

Nice.

I assume you've seen
https://github.com/FreeRADIUS/freeradius-server/tree/v3.1.x/doc/schemas/logstash
which might be useful.

> A prerequisite for this is that we can actually correlate
> Access-Requests and replies by the RADIUS server.

The State attribute should tie any challenges with the subsequent
request, which might be helpful.

> Do you guys happen to know a suitable way of creating
> such a FreeRADIUS-Correlationa-Id that's unique for an
> Access-Request-...-Access-Accept exchange? I'm not sure whether
> the NAS will also include the attribute in all its later request
> packets. Do you happen to know if this is the case?

Include the Calling-Station-Id and User-Name as well? Then perhaps
hash them to get a (most likely unique) hex string. (See e.g.
acct_unique policy.)

I would have thought you could generate a new Correlation
attribute on first request, log it with the request, and then
cache it with rlm_cache. Then pull it out each time you are about
to log a request or reply and put it on the log. Then you should
have a stable ID across all entries in your elasticsearch db.

> The approach with a correlation ID has one more disadvantage:
> according to RFC 2865, Access-Reject messages mustn't include
> such attributes. So this leaves us with the problem how to
> correlate rejects.

You might be better to keep track of the request time in
FreeRADIUS and then just log it with each log entry. rlm_cache
probably needed as well - but examples of arithmetic are in
sites-enabled/default preacct (FreeRADIUS-Acct-Session-Start-Time).

Doing both timing in FR as well as a Correlation attribute is
probably the best option.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list