Add TLS version to logs with linelog

Wed Apr 17 11:14:33 UTC 2024

On 17/04/2024 12:06, dominic.stalder at unibe.ch wrote:
>     sp {
>        Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})"

Looks OK at a quite glance.

> And somehow (I really don't know why), it seems to work know:

OK

> (21)       &reply::TLS-Session-Information += &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, Finished'
> (21)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384'
> (21)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2'
> (21)     } # update = noop
> (21)     if (EAP-Message) {
> (21)     if (EAP-Message)  -> TRUE
> (21)     if (EAP-Message)  {
> (21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format}
> (21) 802.1x_authz_log:    --> sp.Access-Accept
> (21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} SSID=%{%{request:Called-Station-SSID}:-NULL} Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} Filter-ID=%{%{reply:Filter-Id}:-NULL} VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli %{%{request:Calling-Station-Id}:-Unknown})
> (21) 802.1x_authz_log:    --> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)
> (21) 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log
> (21) 802.1x_authz_log:    --> /var/log/freeradius/authz.log
> (21)       [802.1x_authz_log] = ok
> (21)     } # if (EAP-Message)  = ok

...

> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder at unibe.ch] TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 Filter-ID=staff VLAN=1874 Class=staff (from client cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)

Looks good.

> As written above, I am sorry "that it works", more so that I don't know why it is working now, because in my opinion I did not really change any thing than before lunch time...

Won't really know without seeing the failure. Could be anything from 
client state issues to wifi timers to an attribute missing that's there 
this time.

> But do we somehow need to close this "discussion" an mark it as resovled or how does this work? __

This is a mailing list... it's working so all's good!

-- 
Matthew