Add TLS version to logs with linelog
Matthew Newton
mcn at freeradius.org
Wed Apr 17 09:27:03 UTC 2024
On 17/04/2024 09:55, dominic.stalder at unibe.ch wrote:
> I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions.
That seems like a good idea.
> I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick.
And slow down the server. Good choice not doing that.
> linelog 802.1x_authz_log {
> filename = ${logdir}/authz.log
> reference = "sp.%{%{reply:Packet-Type}:-format}"
>
> sp {
> Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
> }
> }
>
> The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this:
>
> post-auth {
> update {
> &reply: += &session-state:
> }
>
> if (EAP-Message) {
> 802.1x_authz_log
> }
>
> Is there a way to print out the TLS version in the AuthZ part and if yes, how?
You've got the right attribute, but the wrong list. (Add `debug_all` in
the config to see what attributes are available in the debug output.)
It's in the reply list (copied from the session-state list in the update
section preceding your linelog call) so rather than
`TLS=%{%{TLS-Client-Version}:-NULL}` you need
`TLS=%{%{reply:TLS-Client-Version}:-NULL}`.
--
Matthew
More information about the Freeradius-Users
mailing list