Add TLS version to logs with linelog

Matthew Newton mcn at freeradius.org
Wed Apr 17 09:27:03 UTC 2024 

On 17/04/2024 09:55, dominic.stalder at unibe.ch wrote:
> I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions.

That seems like a good idea.

> I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick.

And slow down the server. Good choice not doing that.

> linelog 802.1x_authz_log {
>     filename = ${logdir}/authz.log
>     reference = "sp.%{%{reply:Packet-Type}:-format}"
> 
>     sp {
>        Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
>     }
> }
> 
> The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this:
> 
> post-auth {
> update {
>            &reply: += &session-state:
>       }
> 
>       if (EAP-Message) {
>            802.1x_authz_log
>       }
> 
> Is there a way to print out the TLS version in the AuthZ part and if yes, how?

You've got the right attribute, but the wrong list. (Add `debug_all` in 
the config to see what attributes are available in the debug output.)

It's in the reply list (copied from the session-state list in the update 
section preceding your linelog call) so rather than 
`TLS=%{%{TLS-Client-Version}:-NULL}` you need 
`TLS=%{%{reply:TLS-Client-Version}:-NULL}`.

-- 
Matthew

More information about the Freeradius-Users mailing list