Re: Detailed Logging freeradius Request Packets

[Alan DeKok]

Jean F. Mousinho wrote:
 So this message, the Access-Challenge messages are not logged, although
 the Access-Accept are logged.
 
 I should have said I want to log Access-Challenge messages, would be
 more correct.

  That's a bit harder.  Put this in the authenticate section, to
replace the eap line:

Auth-Type eap {
eap {
handled = 1
}
if (handled) {
auth_log.post-auth
}
}

  That should do the trick.


  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Detailed Logging freeradius Request Packets

[Jean F. Mousinho]

On Sun, 2010-10-10 at 08:50 +0200, Alan DeKok wrote:
 Jean-Francois Mousinho wrote:
  I've tried to find a way of detail logging the packets sent by
  freeradius to the client in the authentication phase but didn't found a
  way of doing it. Maybe I've not looked correctly so I'm asking if it's
  actually possible?
 
   Yes.
 
  I was able to log detailed packets sent by the client (Response packets)
  but not the ones sent by freeradius to the client (except accounting and
  proxied ones).
 
   raddb/modules/detail.log

auth_log is activated in detail.log, and in the authorize section of
sites-enabled/default.

Example of packet exchange...

Sequence in the freeradius logs gives (grep'ed Message-Authenticator):

  Message-Authenticator = 0x8af956293cf49787a8a291406ea9de91
  Message-Authenticator = 0xefb5ce8677fa2bbfbae3eca96071cd45
  Message-Authenticator = 0x8ccbc2c39bf018909859bb683ca8c058
  ...

In the eapol_test supplicant, I got the following (also grep'ed):

   Attribute 80 (Message-Authenticator) length=18
  Value: 8a f9 56 29 3c f4 97 87 a8 a2 91 40 6e a9 de 91
   Attribute 80 (Message-Authenticator) length=18
  Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f
   Attribute 80 (Message-Authenticator) length=18
  Value: ef b5 ce 86 77 fa 2b bf ba e3 ec a9 60 71 cd 45
   Attribute 80 (Message-Authenticator) length=18
  Value: 67 20 0e f4 6e 13 09 b7 4c 6c f2 4f 81 1f a9 70

So the message *3f (and others are not logged). The message 3f in
eapol_test output:

Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=86
   Attribute 1 (User-Name) length=22
  Value:  ...
   Attribute 79 (EAP-Message) length=8
  Value: 01 01 00 06 19 20
   Attribute 80 (Message-Authenticator) length=18
  Value: 2b fc 84 c6 41 fa 0f 48 bb 44 66 0b c8 e7 56 3f
   Attribute 24 (State) length=18
  Value: e6 3d 08 c0 e6 3c 11 c3 1a d2 99 89 61 b8 e9 51
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec

So this message, the Access-Challenge messages are not logged, although
the Access-Accept are logged.

I should have said I want to log Access-Challenge messages, would be
more correct.

Thanks for your time.

Jean-François Mousinho

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Detailed Logging freeradius Request Packets

[Alan DeKok]

Jean-Francois Mousinho wrote:
 I've tried to find a way of detail logging the packets sent by
 freeradius to the client in the authentication phase but didn't found a
 way of doing it. Maybe I've not looked correctly so I'm asking if it's
 actually possible?

  Yes.

 I was able to log detailed packets sent by the client (Response packets)
 but not the ones sent by freeradius to the client (except accounting and
 proxied ones).

  raddb/modules/detail.log

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Detailed Logging freeradius Request Packets

[Jean-Francois Mousinho]

Hi,

I've tried to find a way of detail logging the packets sent by  
freeradius to the client in the authentication phase but didn't found  
a way of doing it. Maybe I've not looked correctly so I'm asking if  
it's actually possible?


I was able to log detailed packets sent by the client (Response  
packets) but not the ones sent by freeradius to the client (except  
accounting and proxied ones).


Thanks for your time.

Jean-François Mousinho

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html