Add client IP address to log messages

Matthew Newton mcn at
Tue Nov 23 14:01:51 CET 2021

On 23/11/2021 12:41, Drew Weaver wrote:
> We have a lot of devices so it would really be useful if FreeRADIUS could log what client the request comes from.

The RADIUS "client" is the NAS - this might not be what you want.

There may be attributes such as Calling-Station-Id which are most 
appropriate, rather than what the "client" is.

> Does anybody know how I can adjust it so that it says something like
>    1.  Login incorrect (pap: Crypt digest does not match "known good" digest): [drew] (from client localhost port 0) from

You can alter it in radiusd.conf - see the log{} section, e.g. 
msg_goodpass and msg_badpass.

> Where is the IP address that sent the RADIUS auth request?

That is the NAS - which is probably not what you want. The NAS is 
already shown ("from client localhost").

But e.g. something like

   msg_badpass = "MAC:%{Calling-Station-ID}"

might be a start. See the debug output for what attributes are available.

> I believe that the information inside of the ( ) is sent from the device itself

No. You can see what comes from the NAS in the RADIUS attributes in the 
debug output - only some of that comes from the end device.

> Any way to speed up the process of remediation is tremendously helpful.

Also take a look at the linelog module, it's a lot more flexible than 
the built-in auth logging.


More information about the Freeradius-Users mailing list