2012/6/6 Matthew Newton <m...@leicester.ac.uk>: > On Wed, Jun 06, 2012 at 03:56:54PM -0300, Sergio Belkin wrote: >> Good idea, I've tried appending %{EAP-Type) that to detail.log but >> sending nothing >> eg: >> >> auth-detail-AP-XXX-DEFAULT--20120606 >> >> Between "-" and "-" is nothing (Neither TTLS nor PEAP appears) > > You've not really explained what you've done. > > However, I *guess* that you have added %{EAP-Type} to the filename > (detailfile) in the detail config.
Yes, you guess well > > Look, though, where detail is getting called, and where eap is > called, in the authorize section. It goes in order. The eap module > sets EAP-Type, detail is called before. > > So you need to call the log after eap. But the gotcha is that eap > will short circuit the return in the challenges, so you won't call > the detail module if you put it after eap. Nice to know it :) > > I'd suggest you let all the incoming logs go to a single location > where they are, then you add a new detail (or linelog) module to > post-auth. That can use %{EAP-Type}, as it's *after* EAP has > happened. I've tested it and works, nice! But please keep on reading: > > Alternatively, you can use my other suggestion anywhere you like. > If you pick data out of EAP-Message yourself, you get to do what > you want with it (and keep the shards when it shatters). > > Totally untested unlang. > > if (%{EAP-Message} =~ /^0x........19/) { > detail_log_peap > } > elsif (%{EAP-Message} =~ /^0x........15/) { > detail_log_ttls > } > else { > detail_log_other > } > > Note that things *will* hit detail_log_other. EAP Identity, for > instance, before the eap type has been agreed. If you do this in > the inner server, be prepared for unexpectedness. In short, > understand EAP first. Good, but it sounds somewhat complex :) > > I just chuck the raw data out with detail and leave it be. The > useful stuff is pristinely formatted with gentle loving care by > the linelog module, where it sits in a nice greppable format for > me. One log entry, in post-auth, after the useful stuff happened. > Any more detail needed? Just go to the dirty detail log and dig it > out. Happens so rarely it wouldn't matter if it was in binary > format and had to be read with a hex editor in Windows... > Wow, linelog seems interesting, I've tried but only is logging Access-Request, why? I add my debug (I plan to get rid out of inner-tunnel-peap file): FreeRADIUS Version 2.1.12, for host x86_64-unknown-linux-gnu, built on Jan 3 2012 at 16:18:16 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb-testing/radiusd.conf including configuration file /etc/raddb-testing/proxy.conf including configuration file /etc/raddb-testing/clients.conf including files in directory /etc/raddb-testing/modules/ including configuration file /etc/raddb-testing/modules/chap including configuration file /etc/raddb-testing/modules/mschap including configuration file /etc/raddb-testing/modules/sqlcounter_expire_on_login including configuration file /etc/raddb-testing/modules/exec including configuration file /etc/raddb-testing/modules/realm including configuration file /etc/raddb-testing/modules/checkval including configuration file /etc/raddb-testing/modules/rediswho including configuration file /etc/raddb-testing/modules/passwd including configuration file /etc/raddb-testing/modules/attr_filter including configuration file /etc/raddb-testing/modules/linelog including configuration file /etc/raddb-testing/modules/wimax including configuration file /etc/raddb-testing/modules/pam including configuration file /etc/raddb-testing/modules/inner-eap including configuration file /etc/raddb-testing/modules/echo including configuration file /etc/raddb-testing/modules/soh including configuration file /etc/raddb-testing/modules/replicate including configuration file /etc/raddb-testing/modules/acct_unique including configuration file /etc/raddb-testing/modules/etc_group including configuration file /etc/raddb-testing/modules/pap including configuration file /etc/raddb-testing/modules/expr including configuration file /etc/raddb-testing/modules/smbpasswd including configuration file /etc/raddb-testing/modules/attr_rewrite including configuration file /etc/raddb-testing/modules/radutmp including configuration file /etc/raddb-testing/modules/mac2ip including configuration file /etc/raddb-testing/modules/logintime including configuration file /etc/raddb-testing/modules/sql_log including configuration file /etc/raddb-testing/modules/smsotp including configuration file /etc/raddb-testing/modules/preprocess including configuration file /etc/raddb-testing/modules/policy including configuration file /etc/raddb-testing/modules/cui including configuration file /etc/raddb-testing/modules/perl including configuration file /etc/raddb-testing/modules/digest including configuration file /etc/raddb-testing/modules/mac2vlan including configuration file /etc/raddb-testing/modules/otp including configuration file /etc/raddb-testing/modules/files including configuration file /etc/raddb-testing/modules/always including configuration file /etc/raddb-testing/modules/ntlm_auth including configuration file /etc/raddb-testing/modules/detail including configuration file /etc/raddb-testing/modules/krb5 including configuration file /etc/raddb-testing/modules/sradutmp including configuration file /etc/raddb-testing/modules/opendirectory including configuration file /etc/raddb-testing/modules/counter including configuration file /etc/raddb-testing/modules/detail.example.com including configuration file /etc/raddb-testing/modules/ippool including configuration file /etc/raddb-testing/modules/expiration including configuration file /etc/raddb-testing/modules/dynamic_clients including configuration file /etc/raddb-testing/modules/detail.log including configuration file /etc/raddb-testing/modules/redis including configuration file /etc/raddb-testing/modules/ldap including configuration file /etc/raddb-testing/modules/unix including configuration file /etc/raddb-testing/eap.conf including configuration file /etc/raddb-testing/policy.conf including files in directory /etc/raddb-testing/sites-enabled/ including configuration file /etc/raddb-testing/sites-enabled/status including configuration file /etc/raddb-testing/sites-enabled/control-socket including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel including configuration file /etc/raddb-testing/sites-enabled/default including configuration file /etc/raddb-testing/sites-enabled/inner-tunnel-peap main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb-testing/dictionary main { name = "radiusd" prefix = "/usr/local-test" localstatedir = "/usr/local-test/var" sbindir = "/usr/local-test/sbin" logdir = "/usr/local-test/var/log/radius" run_dir = "/usr/local-test/var/run/radiusd" libdir = "/usr/local-test/lib" radacctdir = "/usr/local-test/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/usr/local-test/var/run/radiusd/radiusd.pid" checkrad = "/usr/local-test/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = yes auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 client 192.168.1.5 { Module: Linked to module rlm_linelog Module: Instantiating module "linelog" from file /etc/raddb-testing/modules/linelog linelog { filename = "/usr/local-test/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "%{%{Packet-Type}:-format}" conns: 0xec4c700 ipaddr = 127.0.0.1 port = 18120 client admin { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "YellowSubmarine" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18121 } ... adding new socket proxy address * port 59646 Listening on authentication address 192.168.1.5 port 1812 Listening on accounting address 192.168.1.5 port 1813 Listening on command file /usr/local-test/var/run/radiusd/radiusd.sock Listening on status address 127.0.0.1 port 18120 as server status Listening on authentication address 127.0.0.1 port 18121 as server inner-tunnel Listening on proxy address 192.168.1.5 port 1814 Ready to process requests. rad_recv: Accounting-Request packet from host 10.129.85.1 port 39402, id=192, length=199 Acct-Session-Id = "00000026-0000003A" Acct-Status-Type = Stop Acct-Authentic = RADIUS User-Name = "fsaze1" NAS-Identifier = "AP-PVIII-V" NAS-Port = 4 Called-Station-Id = "00-23-69-49-06-2C:sarlanga-I" Calling-Station-Id = "60-FA-CD-42-C0-CE" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" Acct-Session-Time = 30 Acct-Input-Packets = 98 Acct-Output-Packets = 26 Acct-Input-Octets = 11164 Acct-Output-Octets = 7989 Event-Timestamp = "Jun 7 2012 10:37:44 ART" Acct-Terminate-Cause = User-Request # Executing section preacct from file /etc/raddb-testing/sites-enabled/default +- entering group preacct {...} ++[preprocess] returns ok [acct_unique] Hashing 'NAS-Port = 4,Client-IP-Address = 10.129.85.1,NAS-IP-Address = 10.129.85.1,Acct-Session-Id = "00000026-0000003A",User-Name = "fsaze1"' [acct_unique] Acct-Unique-Session-ID = "66c3a7d6e3d79d1a". ++[acct_unique] returns ok [suffix] No '@' in User-Name = "fsaze1", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[files] returns noop # Executing section accounting from file /etc/raddb-testing/sites-enabled/default +- entering group accounting {...} [detail] expand: /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] /usr/local-test/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /usr/local-test/var/log/radius/radacct/10.129.85.1/detail-20120607 [detail] expand: %t -> Thu Jun 7 10:37:44 2012 ++[detail] returns ok ++[unix] returns ok [radutmp] expand: /usr/local-test/var/log/radius/radutmp -> /usr/local-test/var/log/radius/radutmp [radutmp] expand: %{User-Name} -> fsaze1 ++[radutmp] returns ok ++[exec] returns noop [attr_filter.accounting_response] expand: %{User-Name} -> fsaze1 attr_filter: Matched entry DEFAULT at line 12 ++[attr_filter.accounting_response] returns updated Sending Accounting-Response of id 192 to 10.129.85.1 port 39402 Finished request 0. End of Output Thanks in advance > >> > Add 'preprocess' to the top of the authorize{} section in your >> > inner-tunnel-peap / inner-tunnel files. That's the module that >> > checks huntgroups. >> >> Thanks guys it dit it! I just realize that modules must be appended in >> inner-tunnel files to load them :) > > Yeah, that's why it's called a virtual server. It's treated the > same as the default server, the flow is the same. No module > listed there? It doesn't happen. > > Matthew > > > -- > Matthew Newton, Ph.D. <m...@le.ac.uk> > > Systems Architect (UNIX and Networks), Network Services, > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom > > For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- Sergio Belkin http://www.sergiobelkin.com Watch More TV http://sebelk.blogspot.com LPIC-2 Certified - http://www.lpi.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html