Detailed Logging freeradius Request Packets

Boris Lytochkin lytboris at yandex-team.ru
Sun Oct 27 17:25:39 CET 2019


Hi there!

> > So this message, the Access-Challenge messages are not logged, although
> > the Access-Accept are logged.
> >
> > I should have said I want to log Access-Challenge messages, would be
> > more correct.
>
>   That's a bit harder.  Put this in the "authenticate" section, to
> replace the "eap" line:
>
>     Auth-Type eap {
>         eap {
>             handled = 1
>         }
>         if (handled) {
>             auth_log.post-auth
>         }
>     }
>
>   That should do the trick.
>   Alan DeKok.
I found this thread in 2019 (10 years after that, I hope that I hacked headers good enough to glue this message to old thread) to achieve the same goal with a slightly more complex situation.

Original unlang code was:
==========
Auth-Type eap {
         eap
         perl
     }
==========
So if you just use the recipe as-is you would encounter perl being invoked on every single EAP conversation cycle.
To overcome this, one might want to use an upgraded version of the original idea:
==========
     Auth-Type eap {
         eap {
             handled = 9999
         }
         if (handled) {
             auth_log.post-auth
             return
         }
         perl
     }
==========

Increased priority for handled return code is there just in case we would have something **above** eap that could emit OK/NOOP/UPDATED/etc which have higher priority. OK returned by auth_log.post-auth 
would be overridden by handled priority as well.
Before using this magic, please take a look on doc/configuration/configurable_failover.rst in FreeRADIUS sources to understand what's going on here, it takes a while to settle the things down. :)

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671



More information about the Freeradius-Users mailing list