AW: Using "Tunnel-Private-Group-Id" in linelog

Burger, Wolfgang wburger at gwdg.de
Wed Oct 23 16:21:39 CEST 2019 

Dear Alan,


thank you for your reply and constructive feedback. You´re right, I´ve made a mistake while pasting the outputs together.

Let me try again please.


linelog config:

linelog vlanlog {

filename = ${logdir}/vlanlog

permissions = 0600

format = "This is a log message for %{User-Name}"

reference = "%{%{Packet-Type}:-format}"

Access-Request = "%S: %{reply:Packet-Type} AAA-VLAN-Request for %{User-Name} on %{NAS-Identifier} (%{NAS-IP-Address}) at Port %{NAS-Port-Id}. Put to VLAN %{reply:Tunnel-Private-Group-Id}"

Access-Reject = "Rejected access: %{User-Name}"

Access-Challenge = "Sent challenge: %{User-Name}"

}



Debug output:

rad_recv: Access-Request packet from host 192.168.1.141 port 1812, id=101, length=320

Framed-MTU = 1466

NAS-IP-Address = 192.168.1.141

NAS-Identifier = "Switch31"

User-Name = "0cc47a96a6af"

Service-Type = Call-Check

Framed-Protocol = PPP

NAS-Port = 41

NAS-Port-Type = Ethernet

NAS-Port-Id = "41"

Called-Station-Id = "00-16-b9-d1-01-d7"

Calling-Station-Id = "0c-c4-7a-96-a6-af"

Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"


MS-RAS-Vendor = 11

HP-Capability-Advert = 0x011a0000000b28

HP-Capability-Advert = 0x011a0000000b2e

HP-Capability-Advert = 0x011a0000000b30

HP-Capability-Advert = 0x011a0000000b3d

HP-Capability-Advert = 0x0138

HP-Capability-Advert = 0x013a

HP-Capability-Advert = 0x0140

HP-Capability-Advert = 0x0141

HP-Capability-Advert = 0x0151

server vlan {

# Executing section authorize from file /etc/freeradius/sites-enabled/VLAN

+- entering group authorize {...}

++[preprocess] returns ok

++? if (NAS-Identifier == "switch61" && NAS-Port-Id == "11")

? Evaluating (NAS-Identifier == "switch61" ) -> FALSE

? Skipping (NAS-Port-Id == "11")

++? if (NAS-Identifier == "switch61" && NAS-Port-Id == "11") -> FALSE

++- entering else else {...}

[vlan_by_macaddr] users: Matched entry DEFAULT at line 8465

+++[vlan_by_macaddr] returns ok

++- else else returns ok

[chap] WARNING: Auth-Type already set.  Not setting to CHAP

++[chap] returns noop

++[mschap] returns noop

[suffix] No '@' in User-Name = "0cc47a96a6af", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING: Auth-Type already set.  Not setting to PAP

++[pap] returns noop

Found Auth-Type = Accept

Auth-Type = Accept, accepting the user

Login OK: [0cc47a96a6af] (from client vlan_switch31 port 41 cli 0c-c4-7a-96-a6-af)

# Executing section post-auth from file /etc/freeradius/sites-enabled/VLAN

+- entering group post-auth {...}

[vlanlog] expand: %{Packet-Type} -> Access-Request

[vlanlog] expand: %{%{Packet-Type}:-format} -> Access-Request

[vlanlog] expand: /var/log/freeradius/vlanlog -> /var/log/freeradius/vlanlog

[vlanlog] expand: %S: %{reply:Packet-Type} AAA-VLAN-Request for %{User-Name} on %{NAS-Identifier} (%{NAS-IP-Address}) at Port %{NAS-Port-Id}. Put to VLAN %{reply:Tunnel-Private-Group-Id} -> 2019-10-23 16:17:39: Access-Accept AAA-VLAN-Request for 0cc47a96a6af on Switch31 (192.168.1.141) at Port 41. Put to VLAN

++[vlanlog] returns ok

} # server vlan

Sending Access-Accept of id 101 to 192.168.1.141 port 1812

Tunnel-Type:0 = VLAN

Tunnel-Medium-Type:0 = IEEE-802

Tunnel-Private-Group-Id:0 = "\0001"

Finished request 13.

Going to the next request


logfile entry:

2019-10-23 16:17:39: Access-Accept AAA-VLAN-Request for 0cc47a96a6af on Switch31 (192.168.1.141) at Port 41. Put to VLAN


________________________________
Von: Freeradius-Users <freeradius-users-bounces+wburger=gwdg.de at lists.freeradius.org> im Auftrag von Alan DeKok <aland at deployingradius.com>
Gesendet: Mittwoch, 23. Oktober 2019 16:02:20
An: FreeRadius users mailing list
Betreff: Re: Using "Tunnel-Private-Group-Id" in linelog

On Oct 23, 2019, at 9:52 AM, Burger, Wolfgang <wburger at gwdg.de> wrote:
> I´m using FreeRADIUS Version 2.1.12 to dynamically set the VLAN-ID on some switches by client-mac-address.
>
> Works like a charm.

  That's good.  But you should really use 2.2.10.

> I have to modify the logfiles and would like to use linelog.
>
> This is my linelog config:

  OK, that should work.

> And this is a Request and Reply for a VLAN-Request:
> ..
> [vlanlog] expand: %S: %{reply:Packet-Type} AAA-VLAN-Request for %{User-Name} on %{NAS-Identifier} (%{NAS-IP-Address}) at Port %{NAS-Port-Id}. -> 2019-10-23 14:27:54: Access-Accept AAA-VLAN-Request for 0cc47a96a6af on Switch31 (192.168.1.141) at Port 41.

  Which is NOT the linelog configuration you posted above.

> I would like to include the information in "Tunnel-Private-Group-Id" into the linelog.
>
> I´ve tried to add %{reply:Tunnel-Private-Group-Id} to the linelog config.

  The configuration you posted above shows you did tat,

> But the result in vlanlog is:
>
> 2019-10-23 15:42:53: Access-Accept AAA-VLAN-Request for 0cc47a96a6af on Switch31 (192.168.1.141) at Port 41. Put to VLAN

  <sigh>  Post the debug output from when it doesn't work.  Why post the other debug out, from when you *didn't* add the VLAN information?

  If you want us to help you, you have to post the *relevant* debug output.

> How can i include the information in "Tunnel-Private-Group-Id" of Access-Accept into the linelog logfile?

 Configure it and it should work.  If it doesn't, post the debug output from WHERE IT DOESN'T WORK.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list