Logging EAP-TLS failures

[Arran Cudbard-Bell]

> On 1 Nov 2018, at 15:58, Norman Elton <normelton at gmail.com> wrote:
> 
> I'm using linelog to syslog RADIUS packets. I've found that if I call
> my linelog in my "authorize" section, immediately after referring to
> my EAP module, my linelog has access to all the certificate details.
> Issuer, expiration, etc.
> 
> I'd like to have similar details when the certificate is invalid. If
> the linelog is in the "authorize" section, right after my EAP module,
> its never reached, as the EAP failure causes the whole authorize
> section to fail immediately.
> 
> I've tried putting it in the post-auth section as well, but cannot get
> it positioned such that the certificate details are available.
> 
> I've also tried configuring the EAP and linelog modules in a
> "redundant" section, hoping that the linelog would pick up after the
> EAP failure. No luck there either.
> 
> Am I headed in the right direction? Is there a way to catch the
> certificate details in a linelog module after the certificate has been
> found invalid?

In v3 it looks like the pairs are trashed in the cert validation fails.

This is somewhat fixed in v4 as we allow "callbacks" for cert validation,
and I believe part of that is the previously ascertained validation state
from something like OCSP.

I think we also add all the attributes to the session-state: list and they
likely remain accessible even on failure... But not 100% on that.

The best you could do for v3 is probably examine the stack of error 
messages in %{request:Module-Failure-Message[*]}, and send a patch to add 
the cert CN or  another identifier to add an REDEBUG() call with the cert 
CN that failed and the validation check that failed.

You may find just concating all the Module-Failure-Message attribute 
instances as the code is today, already gives you the information you need.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2