Correlating Access-Requests and Replys
Alan DeKok
aland at deployingradius.com
Thu Apr 21 17:11:26 CEST 2016
On Apr 21, 2016, at 9:02 AM, Christian Strauf <strauf at rz.tu-clausthal.de> wrote:
>
> we're trying to use an ELK stack (Elasticsearch, Logstash & Kibana) to monitor the performance of our FreeRADIUS 3.0.11 servers which rely on a number of external servers (database, directory etc.). We'd basically like to figure out the elapsed time between first Access-Request and the final Access-Accept (or Access-Reject for that matter).
The server doesn't really track that in 3.0, or tracks it only at second resolution.
In 3.1, it tracks all requests / responses in millisecond or better resolution.
> A prerequisite for this is that we can actually correlate Access-Requests and replies by the RADIUS server. I searched a little and found a post by Alan DeKok from 2012 on a very similar matter. The problem is that there's nothing much you can use to correlate an Access-Request reliably to the answers by the RADIUS server. Alan suggested adding a reply item to the reply:
I'm not sure why you need to correlate them. They're already correlated in the server. All you need to do is print out the time difference between request and response.
> I like the idea (you can probably even update the original request with that FreeRADIUS-Correlation-Id before logging it), however, I need some help with the "..." part of the above config snippet. Src IP and src port unfortunately aren't unique enough (the same NAS sends all requests from the same source port). I looked through dictionary.freeradius.internal to find some suitable attribute that isn't part of the original request and that would add some uniqueness but I don't see anything useful. Do you guys happen to know a suitable way of creating such a FreeRADIUS-Correlationa-Id that's unique for an Access-Request-...-Access-Accept exchange? I'm not sure whether the NAS will also include the attribute in all its later request packets. Do you happen to know if this is the case?
The NAS won't include any VSA in later request packets.
> The approach with a correlation ID has one more disadvantage: according to RFC 2865, Access-Reject messages mustn't include such attributes. So this leaves us with the problem how to correlate rejects.
VSAs are allowed in Access-Reject.
> This leads me to this question: FreeRADIUS obviously keeps track internally which reply correlates to which request. Is there any way to include some hint to this correlation via a FreeRADIUS-internal attribute which in turn could be logged in auth-detail or reply-detail files? Any help would be highly appreciated.
The simplest thing is to look at the request authenticator. It's essentially unique for all Access-Request packets. And you can track it in Access-Accepts. Add a dictionary entry for it (in a VSA space), as an attribute of type "octets", and then do:
update reply {
My-Correlation-String := "0x%{request:Packet-Authentication-Vector}"
}
You can then correlate requests and responses by looking at that field.
Alan DeKok.
More information about the Freeradius-Users
mailing list