Logging EAP-TLS certificate details
Matthew Newton
mcn at freeradius.org
Wed Mar 24 12:00:47 CET 2021
On 24/03/2021 02:43, Roberto.Franceschetti at ocfl.net wrote:
> Luckily freeradius is the beauty that it is, and we were able to customize it to log what should be logged out-of-the-box.
So the summary is:
- FreeRADIUS is very configurable and lets you do pretty much anything
you want
- FreeRADIUS ships with a default config which works in a lot of
situations out of the box
- Whoever is installing FreeRADIUS still has to configure it, and
understand what they are doing
- You installed it and didn't understand what you were doing, and had a
wow revelation moment when you realised your configuration was wrong
- You learnt something
- You fixed your config so it worked
- You're blaming the FreeRADIUS devs for not catering for your exact
situation.
That's hardly fair.
FreeRADIUS will work in a huge number of situations. The default config
works in a lot, but will always need to be configured. We do a lot of
installs with ISPs and broadband setups. They often send critical
Circuit ID information in all sorts of random attributes that needs
logging and I have to configure FreeRADIUS to log it, often for
regulatory auditing purposes.
In the same way that I don't blame the default config for not working
perfectly out of the box in every situation I use it in, I also don't
blame the default config for not logging the exact information that I
wanted it to log.
Instead I look at the incoming requests, think "according to the
requirements, what needs logging here?" and change the config so that it
does what is needed, then test to make sure everything is working as it
should.
--
Matthew
More information about the Freeradius-Users
mailing list