Add TLS version to logs with linelog in FreeRADIUS 3.2.4

Dominic Stalder dominic.stalder at bluewin.ch
Fri Nov 15 17:17:13 UTC 2024 

Hi Alan

> If you're logging this in the "authorize" phase, then it generally won't work.  The TLS variables are defined after that.
> Instead, log things in the "post-auth" phase.  You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then.

OK thanks, going to change that asap and pretty sure, it will work (again) after.

But let me add, this logging configuration did not change on our side from 3.2.{someting} to 3.2.4 to 3.2.6 now. That’s why I am little confused, but happy to have a solution in the end.

Regards

> Am 15.11.2024 um 15:37 schrieb Alan DeKok <aland at deployingradius.com>:
> 
> On Nov 15, 2024, at 9:27 AM, Dominic Stalder <dominic.stalder at bluewin.ch> wrote:
>> You do not have to guess / suspect, I am pretty sure it is on our side, but it is hard do find this needle in a haystack in this kind of big setup. Strangely it was only related to this explicit thread "Add TLS version to logs with linelog in FreeRADIUS 3.2.4".
> 
>  OK.
> 
>> (188) eap_peap: (TLS) PEAP - Connection Established
>> (188) eap_peap:   TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384"
>> (188) eap_peap:   TLS-Session-Version = "TLS 1.2"
>> 
>> Why the f**k did I miss this in version 3.2.4? Or was it maybe "reintroduced" in 3.2.6 since I upgraded to this version lately; is is this another “SSL thing” patched by Nick?]
> 
>  "git annotate" state the TLS-Session-Version code was added in August 2018.
> 
>> - More debugging for SSL ciphers. Patch from Nick Porter.
>> 
>> Nonetheless, I am going to figure out how adjust my linelog module configuration to get it back into the logs, because at the moment I still see NULL (example):
> 
>  It's not a matter of "adjusting" things.  It's figuring out where in the call flow the attribute is defined, and then accessing it after that.
> 
>> linelog 802.1x_authz_log {
> 
>  If you're logging this in the "authorize" phase, then it generally won't work.  The TLS variables are defined after that.
> 
>  Instead, log things in the "post-auth" phase.  You're guaranteed that the TLS variables are in the session-state, as everything TLS has finished by then.
> 
>  Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list