logging auth failures with inner identity
James Potter
Jim.Potter at jisc.ac.uk
Tue Nov 12 09:05:25 UTC 2024
Hi list,
I'm working on setting up FreeRad logging and I'm stuck on how to capture the EAP inner identity when an authentication fails.
* I can capture auth requests coming in (in authorize section of outer site)
* I can capture auth successes and failures (in outer site:post-auth)
* I can capture successful auths in the EAP:TLS inner site
But - when an EAP-TLS auth fails (eg on cert expired, not trusted, revoked) then it appears that the inner site is not called at all. I've put relevant log lines in TLS-inner:post-auth (and authenticate and authorize) but it appears that none of these are called. Any idea how I can access the inner username (in the case of TLS I'm after the SAN UPN of the client certificate) in a failed auth attempt?
Thanks,
Jim Potter
Jisc
Config snippets FWIW:
server home {
authorize {
log_auth_req
eap
}
post-auth {
log_auth_accept
Post-Auth-Type REJECT {
log_auth_reject
}
}
}
eap {
tls {
virtual_server = eap-inner
}
}
server eap-inner {
authorize {
log_inner
}
authenticate {
log_inner
}
post-auth {
log_inner
Post-Auth-Type REJECT {
log_inner
}
}
}
More information about the Freeradius-Users
mailing list