Add TLS version to logs with linelog in FreeRADIUS 3.2.4

Wed Jul 3 12:10:05 UTC 2024

Hi Alan

Sorry for asking, but have you been able to have a look at the session-state attributes (session-state:TLS-Session-Version and session-state:TLS-Session-Cipher-Suite) in FreeRADIUS version 3.2.x?

Thanks and best regards
Dominic

Am 14.06.24, 13:34 schrieb "Stalder, Dominic (ID)" <dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch>>:

Hi Alan

> It should work, I'll go look at that.
Thanks, would appreciate any help on this __

> It should be session-state.
I thought the same and tried to find the information in the RADIUS answer in the debug output (freeradius -X). But I do not have the debug output for version 3.0.26 anymore, so I am not able to compare the debug outputs.

> If you want to see what is in each list, you can read raddb/policy.d/debug. That file has various policies which you can add to the virtual server. They will print out the contents of the various lists.
Thanks for this hint, tried to find some attribute lists online.

> It should be possible to send text email, and enough logs to show the issue. Your post was larger than 1M, which means there was about 10,000 lines of text in it. There's just no need to send that much.
Will be more "careful" the next time with the length of the "full debug output".

Regards
Dominic

Am 14.06.24, 13:31 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> <mailto:unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org>> im Auftrag von aland at deployingradius.com <mailto:aland at deployingradius.com> <mailto:aland at deployingradius.com <mailto:aland at deployingradius.com>>>:

On Jun 14, 2024, at 7:24 AM, <dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> <mailto:dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch>>> <dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> <mailto:dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch>>> wrote:
>> Why are you using "session-state" in one place, and "eap_peap" in another? If the reference in session-state works, just use that.
> The use of "session-state" was working in FreeRADIUS 3.0.26, but does not anymore in 3.2.4, that's why I am asking.

It should work, I'll go look at that.

>> Use the correct reference.
> That's why I am asking, because I do not know the correct reference.

It should be session-state.

If you want to see what is in each list, you can read raddb/policy.d/debug. That file has various policies which you can add to the virtual server. They will print out the contents of the various lists.

i.e.

....
eap
debug_control
debug_request
debug_session_state
...

You can then read the debug output to see exactly what's in each list.

>> Which doesn't actually include the server receiving any packets...
> Also true, because my email was bigger than 500 KB and was rejected by the email list admins...

It should be possible to send text email, and enough logs to show the issue. Your post was larger than 1M, which means there was about 10,000 lines of text in it. There's just no need to send that much.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html> <http://www.freeradius.org/list/users.html> <http://www.freeradius.org/list/users.html;>