Add TLS version to logs with linelog in FreeRADIUS 3.2.4
Alan DeKok
aland at deployingradius.com
Fri Dec 13 15:30:48 UTC 2024
On Dec 13, 2024, at 8:33 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
> As suggested, I added „debug_all" in the post-auth section before anything else:
>
> post-auth {
> debug_all
>
> if (Service-Type == Call-Check) {
> MAC_auth_log
> } else {
> 802.1x_auth_log
> }
Which shows there's no attribute session-state for packet 362, or for many earlier ones.
If you look at the last few lines of the debug output, and see "no TLS-Session-Version", then the suspicion is that the TLS-Session-Version attribute is having issues. If, however, there's nothing in session-state, then the problem is elsewhere.
That's why we always need (and read) the full debug log,
...
(359) session-state: Saving cached attributes
(359) Framed-MTU = 1014
And then in packet 360 and after:
(360) WLAN-AKM-Suite = 1027075
(360) session-state: No cached attributes
The State attribute in the Access-Challenge reply (packet 359) is the same as in the Access-Request (packet 360). So I'm not sure why it's not finding the saved attributes.
I think the issue is that you're proxying to an internal virtual server, and somehow the session-state isn't saved / restored correctly.
For now, don't do internal proxying, and it should work. I'll see if I can find time to track this down.
Alan DeKok.
More information about the Freeradius-Users
mailing list