Logging EAP-TLS failures
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Nov 1 21:29:27 CET 2018
> On 1 Nov 2018, at 15:58, Norman Elton <normelton at gmail.com> wrote:
>
> I'm using linelog to syslog RADIUS packets. I've found that if I call
> my linelog in my "authorize" section, immediately after referring to
> my EAP module, my linelog has access to all the certificate details.
> Issuer, expiration, etc.
>
> I'd like to have similar details when the certificate is invalid. If
> the linelog is in the "authorize" section, right after my EAP module,
> its never reached, as the EAP failure causes the whole authorize
> section to fail immediately.
>
> I've tried putting it in the post-auth section as well, but cannot get
> it positioned such that the certificate details are available.
>
> I've also tried configuring the EAP and linelog modules in a
> "redundant" section, hoping that the linelog would pick up after the
> EAP failure. No luck there either.
>
> Am I headed in the right direction? Is there a way to catch the
> certificate details in a linelog module after the certificate has been
> found invalid?
In v3 it looks like the pairs are trashed in the cert validation fails.
This is somewhat fixed in v4 as we allow "callbacks" for cert validation,
and I believe part of that is the previously ascertained validation state
from something like OCSP.
I think we also add all the attributes to the session-state: list and they
likely remain accessible even on failure... But not 100% on that.
The best you could do for v3 is probably examine the stack of error
messages in %{request:Module-Failure-Message[*]}, and send a patch to add
the cert CN or another identifier to add an REDEBUG() call with the cert
CN that failed and the validation check that failed.
You may find just concating all the Module-Failure-Message attribute
instances as the code is today, already gives you the information you need.
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
More information about the Freeradius-Users
mailing list