Add TLS version to logs with linelog in FreeRADIUS 3.2.4

Thu Sep 26 15:06:19 UTC 2024

Hi,

Ok, you made me try it on a clean config 😉 because I know I use this with success.

And… it works for me (used v3.2.x branch); the %{reply:TLS-Session-Version} works if I put the linelog after this section in post-auth:
        update {
                &reply: += &session-state:
        }

But if I put linelog at the start of post-auth, just adding the TLS-Version with the session-state also works:
Access-Accept = "Accepted user: %{User-Name} TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL}"

So, back to your original question I guess there’s nothing wrong with %{session-state:…}?

Paul

From: dominic.stalder at unibe.ch <dominic.stalder at unibe.ch>
Date: Thursday, 26 September 2024 at 15:26
To: Paul Dekkers <paul.dekkers at surf.nl>
Cc: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: Add TLS version to logs with linelog in FreeRADIUS 3.2.4
Hi Paul

Thanks for your response, but even when I replace the configuration in /etc/freeradius/mods-enabled/linelog with TLS-Version=%{%{reply:TLS-Session-Version}:-NULL}, it does log NULL for TLS Version and TLS Cipher-Suite.

Regards
Dominic

Von: Paul Dekkers <paul.dekkers at surf.nl>
Datum: Donnerstag, 26. September 2024 um 13:36
An: "Stalder, Dominic (ID)" <dominic.stalder at unibe.ch>
Cc: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Betreff: Re: Add TLS version to logs with linelog in FreeRADIUS 3.2.4

You don't often get email from paul.dekkers at surf.nl. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Hi Dominic,

Not sure if it helps, or if I make a mistake in my thinking, but I’m logging the TLS version with %{reply:TLS-Session-Version} in a linelog, with I believe a reasonably unmodified default configuration otherwise.

Regards,
Paul

From: Freeradius-Users <freeradius-users-bounces+paul.dekkers=surf.nl at lists.freeradius.org> on behalf of dominic.stalder at unibe.ch <dominic.stalder at unibe.ch>
Date: Wednesday, 3 July 2024 at 15:37
To: freeradius-users at lists.freeradius.org <freeradius-users at lists.freeradius.org>
Subject: Re: Add TLS version to logs with linelog in FreeRADIUS 3.2.4
Hi Alan

Thanks a lot!

Regards
Dominic

Am 03.07.24, 15:17 schrieb "Freeradius-Users im Auftrag von Alan DeKok" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im Auftrag von aland at deployingradius.com <mailto:aland at deployingradius.com>>:

On Jul 3, 2024, at 8:10 AM, dominic.stalder at unibe.ch <mailto:dominic.stalder at unibe.ch> wrote:
> Sorry for asking, but have you been able to have a look at the session-state attributes (session-state:TLS-Session-Version and session-state:TLS-Session-Cipher-Suite) in FreeRADIUS version 3.2.x?

Some from the team should have time to look at this late next week.

Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html