Add TLS version to logs with linelog in FreeRADIUS 3.2.4

dominic.stalder at unibe.ch dominic.stalder at unibe.ch
Fri Jun 14 11:24:41 UTC 2024 

Hi Alan

> Why are you using "session-state" in one place, and "eap_peap" in another? If the reference in session-state works, just use that.
The use of "session-state" was working in FreeRADIUS 3.0.26, but does not anymore in 3.2.4, that's why I am asking.

> Use the correct reference.
That's why I am asking, because I do not know the correct reference.

> Which doesn't actually include the server receiving any packets...
Also true, because my email was bigger than 500 KB and was rejected by the email list admins...

Regards
Dominic

Am 14.06.24, 13:21 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im Auftrag von aland at deployingradius.com <mailto:aland at deployingradius.com>>:


On Jun 14, 2024, at 7:10 AM, dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> wrote:
> When I start the debugging (see full output below), I can see the following attributes, which I could use / log now:
>
> (10) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
> (10) eap_peap: TLS-Session-Version = "TLS 1.2"
>
> When I try to “access” them in the linelog configuration like this…


The "eap_peap" text is just debugging information that tells you which module is being run. It's not part of the attribute name.


> sp {
> Access-Accept = "%t : AuthZ: (%I) Access-Accept: [%{%{reply:User-Name}:-%{User-Name}}] TLS-Test=%{%{eap_peap:TLS-Session-Version}:-NULL}


You can't use "%{eap_peap:TLS-Session-Version}". No documentation says that it will work.


> TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL}


Why are you using "session-state" in one place, and "eap_peap" in another? If the reference in session-state works, just use that.


> Any hint, how I can “access” those two attributes in FreeRADIUS 3.2.4 correctly?


Use the correct reference.


> Full debug output:


Which doesn't actually include the server receiving any packets...


It helps to read documentation.


Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>

More information about the Freeradius-Users mailing list