logging auth failures with inner identity
Matthew Newton
mcn at freeradius.org
Tue Nov 12 10:44:35 UTC 2024
On 12/11/2024 09:05, James Potter via Freeradius-Users wrote:
> I'm working on setting up FreeRad logging and I'm stuck on how to capture the EAP inner identity when an authentication fails.
>
> * I can capture auth requests coming in (in authorize section of outer site)
> * I can capture auth successes and failures (in outer site:post-auth)
> * I can capture successful auths in the EAP:TLS inner site
>
> But - when an EAP-TLS auth fails (eg on cert expired, not trusted, revoked) then it appears that the inner site is not called at all. I've put relevant log lines in TLS-inner:post-auth (and authenticate and authorize) but it appears that none of these are called. Any idea how I can access the inner username (in the case of TLS I'm after the SAN UPN of the client certificate) in a failed auth attempt?
You're right, the inner virtual server is not called for EAP-TLS, there
is no inner tunnel.
There are examples of attributes you can log in the default post-auth
section.
https://github.com/FreeRADIUS/freeradius-server/blob/v3.2.x/raddb/sites-available/default#L932-L957
You could also add "debug_all" to the outer post-auth and run the server
in debug mode. You should see all attributes that are available.
--
Matthew
More information about the Freeradius-Users
mailing list