Add TLS version to logs with linelog

dominic.stalder at unibe.ch dominic.stalder at unibe.ch
Wed Apr 17 09:37:22 UTC 2024 

Hi Matthew

Thanks a lot for your very quick reply, appreciate it. I found the following in the freeradius -X output:

(10)     update {
(10)       &reply::Framed-MTU += &session-state:Framed-MTU[*] -> 1014
...
(10)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
(10)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'

When I add those attributes to the linelog configuration, I get the correct values for the version and the ciphers:

(10) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format}
(10) 802.1x_authz_log:    --> sp.Access-Accept
(10) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})
(10) 802.1x_authz_log:    --> Wed Apr 17 11:17:43 2024 : AuthZ: (39) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)

BUT know the authentication fails, I was not yet able to understand why this happens now. Any idea; I will go on and compare the two debug outputs (BEFORE and AFTER I add the attributes to linelog)?

Regards
Dominic


Am 17.04.24, 11:27 schrieb "Freeradius-Users im Auftrag von Matthew Newton via Freeradius-Users" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im Auftrag von freeradius-users at lists.freeradius.org <mailto:freeradius-users at lists.freeradius.org>>:

On 17/04/2024 09:55, dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> wrote:
> I am also very new to FreeRadius per se and I am in the middle of a server lifecycle. Our actual production servers run on version 3.0.12 and the new ones have version 3.0.26 installed. As we are an University with a lot of BYOD clients, we still support TLS 1.0 and TLS 1.1 and want to get rid of TLS 1.0 and TLS 1.1 in the near future. To know about the consequences, I would like to get a rough number of how many clients still using those old TLS versions.


That seems like a good idea.


> I know I can enable / increase the debug level in /etc/freeradius/3.0/radiusd.conf to see the TLS version used for all authentications, BUT this will fill up our logging partition pretty quick.


And slow down the server. Good choice not doing that.


> linelog 802.1x_authz_log {
> filename = ${logdir}/authz.log
> reference = "sp.%{%{reply:Packet-Type}:-format}"
>
> sp {
> Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS=%{%{TLS-Client-Version}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"
> }
> }
>
> The post-auth configuration in /etc/freeradius/3.0/sites-available/default looks like this:
>
> post-auth {
> update {
> &reply: += &session-state:
> }
>
> if (EAP-Message) {
> 802.1x_authz_log
> }
>
> Is there a way to print out the TLS version in the AuthZ part and if yes, how?


You've got the right attribute, but the wrong list. (Add `debug_all` in
the config to see what attributes are available in the debug output.)


It's in the reply list (copied from the session-state list in the update
section preceding your linelog call) so rather than
`TLS=%{%{TLS-Client-Version}:-NULL}` you need
`TLS=%{%{reply:TLS-Client-Version}:-NULL}`.


--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>

More information about the Freeradius-Users mailing list