Correlating Access-Requests and Replys

Phil Mayers p.mayers at imperial.ac.uk
Thu Apr 21 18:14:36 CEST 2016


On 21/04/16 14:02, Christian Strauf wrote:

> but I don't see anything useful. Do you guys happen to know a
> suitable way of creating such a FreeRADIUS-Correlationa-Id that's
> unique for an Access-Request-...-Access-Accept exchange? I'm not sure
> whether the NAS will also include the attribute in all its later

As others have pointed out, this is tricky in current versions of the 
server.

We have a rather complex set of policy that tries to "emulate" a 
"session" value, and a bunch of log searching scripts that are 
semi-smart in matching these request together.

Some NAS vendors help you out here, by including attributes that let you 
correlate. For example, Cisco have:

Cisco-AVPair = "audit-session-id=xxx"

...which is a very helpful attribute.

Our (large) unlang policy for request/reply logging looks something like 
this:

https://gist.github.com/philmayers/ae14614c1f13eb2f3fb7d0c253ac7fb7

This is basically a load of unlang that tries to emulate a "session" 
value into the (locally-defined) "Req-Session" variable. It then calls 
the linelog instances "reqlog" and "replog" to log a load of data from 
the request & reply, such as source/nas IP, Req-Session, the 
Req-Auth-Info (which includes the first bytes of the first EAP-Message 
AVP, from which you can extract EAP type and frame length), 
Module-Failure-Message, Reply-Message, and similar.

It also ties the inner and outer together.

The post-processing script is too big to post here and too integated 
with our systems, but it's basically a two-pass search a-la exigrep or 
similar - first search for matches of the search string, extracting the 
Req-Session, then do a 2nd pass, extracting all lines for that Req-Session.

The script then post-processes the lines, extracting EAP IDs, frame 
times, making some intelligent guesses (you can spot the MSCHAP auth in 
a PEAP session from length) and generally prettying it up. It does some 
detection of half-complete EAP exchanges by the absence of the inner.

It's helpful, but the server could make this so, so much easier by 
allocating a "session" to every packet received, either a new one or the 
previous one (keyed by State). Even for PAP requests.

Cheers,
Phil


More information about the Freeradius-Users mailing list