Additional request information in radius.log

Brian Candler b.candler at pobox.com
Tue Feb 7 09:36:58 CET 2017 

On 07/02/2017 01:35, douglas eseng wrote:
> Is it possible to have additional request attributes log into radius.log?
>
> Like the log entries below, other than a request number or ID. Maybe
> also log some of the radius attributes.
>
> Fri Feb  3 08:24:15 2017 : Error: Rejecting request 16044 (proxy Id
> 223) due to lack of any response from home server NAS02 port 1813
>
> Fri Feb  3 08:25:34 2017 : Error: Discarding duplicate request from
> client NAS14 port 1645 - ID: 66 due to unfinished request 16900 in
> component <core> module <queue>.
>
> It would be helpful when tracing through packets capture from tcpdump.

What you can do is turn on detailed request logging: uncomment 
"auth_log" from the authorize{} section. The requests are logged in 
detail format, like accounting logs, in 
/var/log/{freeradius|radiusd}/radacct/<nas-ip>/auth-detail-<YYYYMMDD>.

If you also want to log the auth replies, uncomment "reply_log" from the 
post-auth{} section. By default you only get replies to successful 
authentications. If you want replies to failures as well, add to the 
Post-Auth-Type REJECT section.

For proxying, uncomment pre_proxy_load and post_proxy_log.

However, what version of freeradius are you using? Looking at the 
current 3.0.x source I see the first of the messages you showed should 
include the username if it's present:

                 if (request->username) {
                         RERROR("Failing proxied request for user 
\"%s\", due to lack of any response from home "
                                "server %s port %d",
request->username->vp_strvalue,
inet_ntop(request->proxy->dst_ipaddr.af,
&request->proxy->dst_ipaddr.ipaddr,
                                          buffer, sizeof(buffer)),
                                request->proxy->dst_port);
                 } else {
                         RERROR("Failing proxied request, due to lack of 
any response from home server %s port %d",
inet_ntop(request->proxy->dst_ipaddr.af,
&request->proxy->dst_ipaddr.ipaddr,
                                          buffer, sizeof(buffer)),
                                request->proxy->dst_port);
                 }

However the second message does not have additional info:

static void request_dup(REQUEST *request)
{
         ERROR("(%u) Ignoring duplicate packet from "
               "client %s port %d - ID: %u due to unfinished request "
               "in component %s module %s",
               request->number, request->client->shortname,
request->packet->src_port,request->packet->id,
               request->component, request->module);
}

You could patch it to include the username if you want though.

HTH,

Brian.

More information about the Freeradius-Users mailing list