Re: Question about Logging
On Sat, 23 Aug 2008 07:04:11 +0200
Alan DeKok [EMAIL PROTECTED] wrote:
Aaron Spanik wrote:
*snip*
I suggest getting access. Sorry... but it's the simplest way to debug
things when something is going wrong.
Always. But sometimes one is forced to prove something is wrong before
the other end will consent to looking for the problem.
*snip*
I have also peeled through all the dictionary files looking for an
appropriate RADIUS Attribute which I could use. I found
Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in
any of the detail sections, as they all returned 127.0.0.1, which makes
some sense to me given the initial source and destination of the
request packets; I'm also pretty sure I shouldn't be using parameters
from dictionary.freeradius.internal this way.
That's what they're defined for.
See also man unlang. If you want the destination IP address of the
*proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address}
See, I read man unlang and noticed the %{list:attribute} syntax,
but then failed to remember reading that when I actually went about
trying to use %{Packet-Dst-Ip-Address}.
So my question is this: short of editing the source to make the
auth_log pop the home server being contacted into the loglines in
radius.log, is there any way to get that information on a per-request
basis? Is there some unlang magic I could work in the pre- or
post-processing phases? It doesn't really matter to me where the
information goes, as long as I can associate it with a particular
request.
It's already associated with the request. You've just got to put 22
together to refer to the *proxied* packet, not the *request* packet.
I'm glad that I appeared to have half a clue and lacked only the other
half to rub it against ;)
As you no doubt know, once I used
%{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I
wanted to see in my logs.
I'd also suggest upgrading to recent code (git.freeradius.org). It
has *very* good statistics tracking available via RADIUS packets. You
can get accept/reject per home server. See raddb/sites-available/status.
That sounds excellent; I will check out the GIT version. Can you
comment on how long it is likely to take before those features make it
into an official release?
You can also log much more configurable messages via the linelog
module. See raddb/modules/linelog.
Alan DeKok.
Thanks much for your response; it was truly helpful.
/a
--
Aaron Spanik
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
Aaron Spanik wrote:
As you no doubt know, once I used
%{proxy-request:Packet-Dst-Ip-Address} I started seeing exactly what I
wanted to see in my logs.
Yup.
That sounds excellent; I will check out the GIT version. Can you
comment on how long it is likely to take before those features make it
into an official release?
A week, maybe two. We've been meaning to do a release for a month or
so, but other things got in the way.
Thanks much for your response; it was truly helpful.
Any time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Logging
Aaron Spanik wrote:
Recently, however, there has been reason to suspect that the two remote
RADIUS servers are behaving inconsistently with each other (i.e. auth
fails on one and then immediately succeeds on the other).
Unfortunately, I have zero access to the remote RADIUS servers and
limited access to the folks who could tell me whether something is, in
fact, wrong with the remote configuration.
I suggest getting access. Sorry... but it's the simplest way to debug
things when something is going wrong.
In order to provide statistics on my end or at least look for trends, I
would like to keep track of what remote server a given request is
proxied to, but I can't seem to find an easy way of doing it:
See the pre-proxy section. The destination IP address is determined
before that section is run.
- I have auth_logging turned on so that my radius.log file contains
basic Yay/Nay information about a particular auth request, but the IP
of the server the request was proxied to is not included.
The default log messages don't include IP addresses of the proxies.
I have also peeled through all the dictionary files looking for an
appropriate RADIUS Attribute which I could use. I found
Packet-Src-Ip-Address and Packet-Dst-Ip-Address, which didn't work in
any of the detail sections, as they all returned 127.0.0.1, which makes
some sense to me given the initial source and destination of the
request packets; I'm also pretty sure I shouldn't be using parameters
from dictionary.freeradius.internal this way.
That's what they're defined for.
See also man unlang. If you want the destination IP address of the
*proxied* packet, you need to use %{proxy-request:Packet-Dst-IP-address}
So my question is this: short of editing the source to make the
auth_log pop the home server being contacted into the loglines in
radius.log, is there any way to get that information on a per-request
basis? Is there some unlang magic I could work in the pre- or
post-processing phases? It doesn't really matter to me where the
information goes, as long as I can associate it with a particular
request.
It's already associated with the request. You've just got to put 22
together to refer to the *proxied* packet, not the *request* packet.
I'd also suggest upgrading to recent code (git.freeradius.org). It
has *very* good statistics tracking available via RADIUS packets. You
can get accept/reject per home server. See raddb/sites-available/status.
You can also log much more configurable messages via the linelog
module. See raddb/modules/linelog.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about logging
Lisa Casey [EMAIL PROTECTED] wrote: With FreeRadius 1.01 on FreeBSD 5.3, is there any way of logging all authentication requests to radius.log EXCEPT requests from a particular username? Or alternatively, log all authentication requests EXCEPT those from a particular client (this would solve the same problem I have). No. You can, however, post-process the logs. Or, edit the source code :) Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about logging facilities
Anders Karlsson [EMAIL PROTECTED] wrote: I'm wondering if there's a way to log all the error logs ( like failed logins and so on ) into a mysql table instead of the standard radius logfile ? Not at this time. As always, patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
