Some RLM_MODULE_INVALID events are not logged via detail

Wed Oct 30 17:47:56 CET 2019

Hi.

We're trying to catch a bug in some vendor's equipment resulting in
"Login incorrect (eap: EAP requires the State attribute to work, but no State exists in the Access-Request packet.)"
error appearing in the log and subsequent Access-Reject sent from RADIUS server (version 3.0.15 with a bit of pull requests still not merged :).

It seems that this configuration does not catch that particular Access-Reject into detail(ed) log:
==================
         detail auth_log {
                 header = "%t (%I)"
                 filename = ${radacctdir}/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-%Y%m%d
                 log_packet_header = yes
                 permissions = 0640
         }

         authenticate {
                 Auth-Type EAP {
                         eap {
                                 handled = 9999
                         }
                         if (handled) {
                                 auth_log.post-auth
                                 # logging is done, return
                                 return
                         }
                         # eap module returned OK so we go a bit further
                         perl
                         # Access-Accept/Reject will be logged by authorize section
                 }
         }

         post-auth {
                 auth_log
                 Post-Auth-Type REJECT {
                         auth_log
                 }
         ...
     }
==================

Am I missing something? I took a quick tour though the code and failed to find a place where radiusd decides to **log**
" Login incorrect (eap_tls: TLS Alert read:fatal:unknown CA):"
into detail and **not to log**
"Login incorrect (eap: EAP requires the State attribute to work, but no State exists in the Access-Request packet.)"

p/s. Playing around with `handled` in Auth-Type EAP has nothing to do with detailed log as I see the same situation before I tweaked that part of the configuration.

pp/s. Is there a way to print packet identifier as it is sent over the wire into detailed log? I made a trivial patch for that seeing no documented way exist to do that:
===============

--- a/src/modules/rlm_detail/rlm_detail.c
+++ b/src/modules/rlm_detail/rlm_detail.c
@@ -336,6 +336,7 @@ static int detail_write(FILE *out, rlm_detail_t *inst, REQUEST *request, RADIUS_
                 }
  #endif
         }
+       WRITE("\tPacket-Identifier = %d\n", packet->id);
         WRITE("\tTimestamp = %ld\n", (unsigned long) request->timestamp);

         WRITE("\n");
===============

-- 
Boris Lytochkin
Yandex NOC
+7 (495) 739 70 00 ext. 7671

