Logging (was: Freeradius-Users Digest, Vol 129, Issue 3)

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Fri Jan 8 15:23:54 CET 2016

>Yes, 'detail' is included in the accounting section.

Ok, that's not going to log then. It will only log when it gets accounting

Look at the 'default' server. In the post-auth section you'll see a
reply_log entry that is commented out by default. If you uncomment this,
it will start logging entries as per the 'reply_log' line log that is
defined in the 'detail.log' module in mods-available. However, note that
this will *not* be a single-line entry (which is what's recommended by the
eduroam operator in the UK).

Look at 
inelog for the current linelog for v2.x. If you're on 3.x, go to
lable/linelog - This will come in handy when doing what the Confluence
page you found says.

>Log file enclosed in ZIP format.

Don't do that. Archives are stripped. A simple freeradius -X output
capture is useful.

>I found this website which may help to enable logging, looks like logging
>functionality is different between 2.1.10 and 2.1.12.

Ahhh... My history comes back to haunt me... ;-)

You may want to set up two of the three line logs defined on that page:
eduroam_log and inner_auth_log. To log to the *log* directory, do *not*
set 'filename' to 'syslog'. Instead set it to whatever you wanted the
filename to be... "${logdir}/linelog" is the default in linelog. Tweak
that appropriately for the inner_auth_log (if you want to log
authentication of your own users separately).

Then, like the page says, call 'eduroam_log' in the post-auth section, or,
better yet, in the post-proxy section of your eduroam server, since
post-proxy gets hit by an incoming reply from a home organisation before
post-auth does (and post-auth also gets hit by your own users after their
authentication reply returns from the inner-tunnel server).

Also, like the page says, call 'inner_auth_log' from the post-auth section
of your inner-tunnel. Stop your server. Start it in debug mode. Then hit
it with an authentication request (for your own user). You should with any
luck get an entry in your inner-tunnel authentication log. Then, if you
have a test subject from another institution, get them to authenticate
through eduroam and see what happens.

Like Alan and others have pointed out, the module files are liberally
commented so that it is easier to understand the operation of the server
(and what the options do). Of course, if you strip out all comments for a
bare-bones configuration, then yes, it becomes distinctly more difficult
(or you spend a lot of time on Github to understand what each file does).


Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet


Networkshop44, University of Manchester. Save the date: 22-24 March, 2016.

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a
company limited by guarantee which is registered in England under Company
No. number 2881024, VAT No. GB 197 0632 86. The registered office is:
Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T
01235 822200.


More information about the Freeradius-Users mailing list