Is there a way log EAP NAK reason with linelog?
Rahman DURAN
rahman.duran at erzurum.edu.tr
Fri Jul 12 06:30:12 UTC 2024
Hi Allan,
Thanks for the hint. I added "EAP-Message" field to linelog template and
started logging. What I see is, for most of the users
"%{Module-Failure-Message}" attribute tells me what is going wrong when
eap-type is NAK. Like;
- eap.etu: rlm_eap (eap.etu): No EAP session matching state
0x30004a5b31035f45
- or, eap.etu: No mutually acceptable types found
This is all good, but for some clients, eap type is NAK but inner or outer
"%{Module-Failure-Message}" does not log anything.
Here is an example log for empty "%{Module-Failure-Message}":
freeradius-etu-freeradius-etu-co Rejected User: [xxxx at erzurum.edu.tr]
inner_username: [] event_timestamp: [2024-07-12-06.26.40.708160]
calling_station_id: [xxx] called_station_id: [xxx:eduroam] ssid: [eduroam]
srcip: [172.xxx] nas_name: [xxxx] client_location: [] failure_msg: []
inner_failure_msg: [] etu_service: [etu_service_eduroam_local] auth_type:
[eap.etu] eap_type: [NAK] tls_version: [] eap_message: [0x020300060300]
I tried to find an online eap message decoder but failed to find one. Does
"0x020300060300" with EAP type NAK gives any hints?
Thanks for your help.
Rahman Duran
Alan DeKok <aland at deployingradius.com>, 11 Tem 2024 Per, 19:21 tarihinde
şunu yazdı:
> On Jul 11, 2024, at 6:36 AM, Rahman DURAN via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > I only support EAP-PEAP and EAP-TTLS for EAP types. Is there a way to log
> > the reason for EAP NAK while using "linelog"? For now, "%{EAP-Type}"
> > attribute prints "NAK" but could not find any additional attribute for
> the
> > NAK reason? If there is no default attribute, I can set a custom one with
> > "unlang" somewhere, so I can use it in "linelog" template?
>
> If the client sends NAK, my $0.02 is to just log the EAP-Message from
> the request. The trailing bytes of EAP-Message are the various EAP types
> that the client is trying to use.
>
> Actually decoding the NAK values will be a bit more work.
>
> Alan DeKok.
>
>
>
More information about the Freeradius-Users
mailing list