Re: Question about Logging
Aaron Spanik wrote:
> As you no doubt know, once I used
> %{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I
> wanted to see in my logs.
Yup.
> That sounds excellent; I will check out the GIT version. Can you
> comment on how long it is likely to take before those features make it
> into an official release?
A week, maybe two. We've been meaning to do a release for a month or
so, but other things got in the way.
> Thanks much for your response; it was truly helpful.
Any time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
On Sat, 23 Aug 2008 07:04:11 +0200
Alan DeKok <[EMAIL PROTECTED]> wrote:
> Aaron Spanik wrote:
> > *snip*
>
> I suggest getting access. Sorry... but it's the simplest way to debug
> things when something is going wrong.
Always. But sometimes one is forced to prove something is wrong before
the other end will consent to looking for the problem.
> *snip*
>
> > I have also peeled through all the dictionary files looking for an
> > appropriate RADIUS Attribute which I could use. I found
> > Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in
> > any of the detail sections, as they all returned 127.0.0.1, which makes
> > some sense to me given the initial source and destination of the
> > request packets; I'm also pretty sure I shouldn't be using parameters
> > from dictionary.freeradius.internal this way.
>
> That's what they're defined for.
>
> See also "man unlang". If you want the destination IP address of the
> *proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address}
See, I read "man unlang" and noticed the %{:} syntax,
but then failed to remember reading that when I actually went about
trying to use %{Packet-Dst-Ip-Address}.
> > So my question is this: short of editing the source to make the
> > auth_log pop the home server being contacted into the loglines in
> > radius.log, is there any way to get that information on a per-request
> > basis? Is there some unlang magic I could work in the pre- or
> > post-processing phases? It doesn't really matter to me where the
> > information goes, as long as I can associate it with a particular
> > request.
>
> It's already associated with the request. You've just got to put 2&2
> together to refer to the *proxied* packet, not the *request* packet.
I'm glad that I appeared to have half a clue and lacked only the other
half to rub it against ;)
As you no doubt know, once I used
%{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I
wanted to see in my logs.
> I'd also suggest upgrading to recent code (git.freeradius.org). It
> has *very* good statistics tracking available via RADIUS packets. You
> can get accept/reject per home server. See raddb/sites-available/status.
That sounds excellent; I will check out the GIT version. Can you
comment on how long it is likely to take before those features make it
into an official release?
> You can also log much more configurable messages via the "linelog"
> module. See raddb/modules/linelog.
>
> Alan DeKok.
Thanks much for your response; it was truly helpful.
/a
--
Aaron Spanik
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
Aaron Spanik wrote:
> Recently, however, there has been reason to suspect that the two remote
> RADIUS servers are behaving inconsistently with each other (i.e. auth
> fails on one and then immediately succeeds on the other).
> Unfortunately, I have zero access to the remote RADIUS servers and
> limited access to the folks who could tell me whether something is, in
> fact, wrong with the remote configuration.
I suggest getting access. Sorry... but it's the simplest way to debug
things when something is going wrong.
> In order to provide statistics on my end or at least look for trends, I
> would like to keep track of what remote server a given request is
> proxied to, but I can't seem to find an easy way of doing it:
See the pre-proxy section. The destination IP address is determined
before that section is run.
> - I have auth_logging turned on so that my radius.log file contains
> basic Yay/Nay information about a particular auth request, but the IP
> of the server the request was proxied to is not included.
The default log messages don't include IP addresses of the proxies.
> I have also peeled through all the dictionary files looking for an
> appropriate RADIUS Attribute which I could use. I found
> Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in
> any of the detail sections, as they all returned 127.0.0.1, which makes
> some sense to me given the initial source and destination of the
> request packets; I'm also pretty sure I shouldn't be using parameters
> from dictionary.freeradius.internal this way.
That's what they're defined for.
See also "man unlang". If you want the destination IP address of the
*proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address}
> So my question is this: short of editing the source to make the
> auth_log pop the home server being contacted into the loglines in
> radius.log, is there any way to get that information on a per-request
> basis? Is there some unlang magic I could work in the pre- or
> post-processing phases? It doesn't really matter to me where the
> information goes, as long as I can associate it with a particular
> request.
It's already associated with the request. You've just got to put 2&2
together to refer to the *proxied* packet, not the *request* packet.
I'd also suggest upgrading to recent code (git.freeradius.org). It
has *very* good statistics tracking available via RADIUS packets. You
can get accept/reject per home server. See raddb/sites-available/status.
You can also log much more configurable messages via the "linelog"
module. See raddb/modules/linelog.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Logging
I apologize in advance if this question is answered in the documentation, but if it is, I haven't been able to find it. I have the following setup: - Client daemon running on host A - FreeRADIUS 2.0.4 server running on host A proxying auth requests - Two Remote RADIUS servers serving authentication from a load-balanced pool - The client daemon sends authentication requests to the FreeRADIUS server with a username and password over loopback. - The FreeRADIUS server receives the Access-Request and proxies it to the remote RADIUS servers. - Responses from the RADIUS server are proxied back to the client daemon for action. - Accounting records are sent by the client daemon, however they are "swallowed" by the FreeRADIUS server (always ok) as accounting is not being used at this point. The first thing I will mention is that this I do not have any issue with this configuration; i.e. it works exactly the way it's supposed to. Recently, however, there has been reason to suspect that the two remote RADIUS servers are behaving inconsistently with each other (i.e. auth fails on one and then immediately succeeds on the other). Unfortunately, I have zero access to the remote RADIUS servers and limited access to the folks who could tell me whether something is, in fact, wrong with the remote configuration. In order to provide statistics on my end or at least look for trends, I would like to keep track of what remote server a given request is proxied to, but I can't seem to find an easy way of doing it: - I have auth_logging turned on so that my radius.log file contains basic Yay/Nay information about a particular auth request, but the IP of the server the request was proxied to is not included. - I have detail configured for auth-detail, pre-proxy-detail, post-proxy-detail, and reply-detail. All are pretty much stock except I put the User-Name into the header in a couple of them. None of these show the IP of the particular home server that a given request was sent to. I do understand that I can get this information if I run a full debug trace, however this is a production system and I don't need all that information, just one little piece, nor do I want to run a production server outputting to stdout. I have also peeled through all the dictionary files looking for an appropriate RADIUS Attribute which I could use. I found Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in any of the detail sections, as they all returned 127.0.0.1, which makes some sense to me given the initial source and destination of the request packets; I'm also pretty sure I shouldn't be using parameters from dictionary.freeradius.internal this way. I also found FreeRADIUS-Proxied-To, however it appears that's only for accounting packets. So my question is this: short of editing the source to make the auth_log pop the home server being contacted into the loglines in radius.log, is there any way to get that information on a per-request basis? Is there some unlang magic I could work in the pre- or post-processing phases? It doesn't really matter to me where the information goes, as long as I can associate it with a particular request. Thanks, /a -- Aaron Spanik [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about logging
"Lisa Casey" <[EMAIL PROTECTED]> wrote: > With FreeRadius 1.01 on FreeBSD 5.3, is there any way of logging all > authentication requests to radius.log EXCEPT requests from a particular > username? > > Or alternatively, log all authentication requests EXCEPT those from a > particular client (this would solve the same problem I have). No. You can, however, post-process the logs. Or, edit the source code :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about logging
Hi Folks, You'll probably think this question is a bit nuts. With FreeRadius 1.01 on FreeBSD 5.3, is there any way of logging all authentication requests to radius.log EXCEPT requests from a particular username? Or alternatively, log all authentication requests EXCEPT those from a particular client (this would solve the same problem I have). I don't think this can be done, but you folks know a lot more about this than I do! Thanks, Lisa Casey -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.7/160 - Release Date: 11/3/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about logging facilities
Anders Karlsson <[EMAIL PROTECTED]> wrote: > I'm wondering if there's a way to log all the "error" logs ( like failed > logins and so on ) into a mysql table instead of the standard radius > logfile ? Not at this time. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about logging facilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I'm wondering if there's a way to log all the "error" logs ( like failed logins and so on ) into a mysql table instead of the standard radius logfile ? I have googled around a bit, but haven't found anything useful yet :( Cheers Anders - -- [EMAIL PROTECTED] Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. - Rich Cook -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBLIjb71qqbpXaXUgRAvGaAJ42646rV1aBHbwQTfVBVBMuPj3EGwCcC+6e PoyngobgwTlKDb/fOLKd2MQ= =OXor -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
