Re: Detailed Logging freeradius Request Packets

[Jean F. Mousinho]

On Sun, 2010-10-10 at 08:50 +0200, Alan DeKok wrote:
 Jean-Francois Mousinho wrote:
  I've tried to find a way of detail logging the packets sent by
  freeradius to the client in the authentication phase but didn't found a
  way of doing it. Maybe I've not looked correctly so I'm asking if it's
  actually possible?
 
   Yes.
 
  I was able to log detailed packets sent by the client (Response packets)
  but not the ones sent by freeradius to the client (except accounting and
  proxied ones).
 
   raddb/modules/detail.log

auth_log is activated in detail.log, and in the authorize section of
sites-enabled/default.

Example of packet exchange...

Sequence in the freeradius logs gives (grep'ed Message-Authenticator):

  Message-Authenticator = 0x8af956293cf49787a8a291406ea9de91
  Message-Authenticator = 0xefb5ce8677fa2bbfbae3eca96071cd45
  Message-Authenticator = 0x8ccbc2c39bf018909859bb683ca8c058
  ...

In the eapol_test supplicant, I got the following (also grep'ed):

   Attribute 80 (Message-Authenticator) length=18
  Value: 8a f9 56 29 3c f4 97 87 a8 a2 91 40 6e a9 de 91
   Attribute 80 (Message-Authenticator) length=18
  Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f
   Attribute 80 (Message-Authenticator) length=18
  Value: ef b5 ce 86 77 fa 2b bf ba e3 ec a9 60 71 cd 45
   Attribute 80 (Message-Authenticator) length=18
  Value: 67 20 0e f4 6e 13 09 b7 4c 6c f2 4f 81 1f a9 70

So the message *3f (and others are not logged). The message 3f in
eapol_test output:

Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=86
   Attribute 1 (User-Name) length=22
  Value:  ...
   Attribute 79 (EAP-Message) length=8
  Value: 01 01 00 06 19 20
   Attribute 80 (Message-Authenticator) length=18
  Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f
   Attribute 24 (State) length=18
  Value: e6 3d 08 c0 e6 3c 11 c3 1a d2 99 89 61 b8 e9 51
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec

So this message, the Access-Challenge messages are not logged, although
the Access-Accept are logged.

I should have said I want to log Access-Challenge messages, would be
more correct.

Thanks for your time.

Jean-François Mousinho

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

duplicate Identity received, freeradius behaviour?

[Jean F. Mousinho]

Hi,

I've noticed that on our radius server logs lots of EAP state variable
not found, after some packet dump analysis (also -Xf) I've noticed that
one of the cases that this happened was when some EAP Identity packets
are duplicated during parallel authentications (I mean, when at least
one session already began from the same client, and we're receiving
duplicate ).

I've noticed that these duplicate packets come with just a little
difference which is the Proxy-State, the duplicate packets then, in my
opinion could be caused by some bad proxying implementation (client EAP
Identity passing through 2 or more proxies?), or even bad load
balancing.

Also, we did an upgrade of one of the two proxies connected to our home
radius server and somehow noticed that the amount of EAP state errors
was lower in the old version (1.1.7) than in the newer (2.1.3) (although
its hard to confirm that).

I've tried to compare the code from 1.1.7 and 2.1.3 and didn't come to a
clear conclusion if its there any special treatment to duplicate proxied
packets between 1.1.7 and 2.1.3 (while proxying).

Thanks for your time.

Jean F. Mousinho

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html