Add client IP address to log messages

Alan DeKok aland at
Tue Nov 23 14:25:39 CET 2021

On Nov 23, 2021, at 8:08 AM, Drew Weaver <drew.weaver at> wrote:
> Since these are VPN servers all I really need to know is the IP address of the VPN server (or NAS) that the auth request originated from.

  Define "request".  For us, it's "RADIUS packet".  If you mean something different, then say so.  It helps very much to be clear in what you're asking.

  What information in the Access-Request?   Read the debug output and see.

  Do you recognize any of the information?  i.e. IPs, MAC address, etc.?  If so, what does it mean?

  The problem here is that you're not posting the full debug output (or reading it).  You're asking vague questions which we don't know the answer to.

  RADIUS is complex.  We can't figure out *everything* from one line of the log file.  That's why we keep asking for the debug output.  And after 20 years, it's *still* a mystery why people don't post it.

> I am not sure why or even how radiusd could think that the auth request is coming from itself but the requests are not sourced from the radius server to the radius server.

  "localhost" is not just the RADIUS server.

  The RADIUS packets *are* coming from localhost.  The logs you posted show this clearly.  So either you named all clients "localhost" as Matthew suggested, or the packets really do come from localhost.

  Again, without the debug output, it's *impossible* for us to tell.

  And if you *do* read the debug output, I'll bet dollars to donuts that the information you need is there.  "Oh, look!  The IP of the VPN client is in attribute X!  I can just log that"

  It really is that easy.

> The sources are all on different IP addresses.

  There are multiple pieces here.  If you're not clear on what they are, then you won't be able to come up with a solution.

  In short, what's happening is this:

* VPN client connects to VPN server

* VPN server *acts as the RADIUS client*, and sends an Access-Request to the RADIUS server

* This access request contains a bunch of information.  We have NO IDEA what this is.  And unless you read the debug output, you have no idea, either.

* The RADIUS server *should* log ??something?? that it gets from ??somewhere???

  What is that something?  Read the debug output.  All of the information which is available in the Access-Request is printed there.

  If the information you need isn't in the Access-Request, then go poke the VPN server to add it.  No amount of changing FreeRADIUS will make the VPN server magically send the information that FreeRADIUS needs.

  And read the debug out.  Really.
  Alan DeKok.

More information about the Freeradius-Users mailing list