Correlating Access-Requests and Replys
Phil Mayers
p.mayers at imperial.ac.uk
Thu Apr 21 18:14:36 CEST 2016
On 21/04/16 14:02, Christian Strauf wrote:
> but I don't see anything useful. Do you guys happen to know a
> suitable way of creating such a FreeRADIUS-Correlationa-Id that's
> unique for an Access-Request-...-Access-Accept exchange? I'm not sure
> whether the NAS will also include the attribute in all its later
As others have pointed out, this is tricky in current versions of the
server.
We have a rather complex set of policy that tries to "emulate" a
"session" value, and a bunch of log searching scripts that are
semi-smart in matching these request together.
Some NAS vendors help you out here, by including attributes that let you
correlate. For example, Cisco have:
Cisco-AVPair = "audit-session-id=xxx"
...which is a very helpful attribute.
Our (large) unlang policy for request/reply logging looks something like
this:
https://gist.github.com/philmayers/ae14614c1f13eb2f3fb7d0c253ac7fb7
This is basically a load of unlang that tries to emulate a "session"
value into the (locally-defined) "Req-Session" variable. It then calls
the linelog instances "reqlog" and "replog" to log a load of data from
the request & reply, such as source/nas IP, Req-Session, the
Req-Auth-Info (which includes the first bytes of the first EAP-Message
AVP, from which you can extract EAP type and frame length),
Module-Failure-Message, Reply-Message, and similar.
It also ties the inner and outer together.
The post-processing script is too big to post here and too integated
with our systems, but it's basically a two-pass search a-la exigrep or
similar - first search for matches of the search string, extracting the
Req-Session, then do a 2nd pass, extracting all lines for that Req-Session.
The script then post-processes the lines, extracting EAP IDs, frame
times, making some intelligent guesses (you can spot the MSCHAP auth in
a PEAP session from length) and generally prettying it up. It does some
detection of half-complete EAP exchanges by the absence of the inner.
It's helpful, but the server could make this so, so much easier by
allocating a "session" to every packet received, either a new one or the
previous one (keyed by State). Even for PAP requests.
Cheers,
Phil
More information about the Freeradius-Users
mailing list