[RADIATOR] Additional loging for EAP-TLS

Markus Moeller huaraz at moeller.plus.com
Thu Nov 18 14:41:05 CST 2010 

Hi,

   I would like to log more than TLS error acknowledged into the access log, but I don't see that the error is stored anywhere. Is the below a good way to do it and use the EAP-Error attribute in the access log deny message ?

Thank you
Markus

 
--- /tmp/EAP_13.pm      2010-11-18 08:16:53.000000000 +0000
+++ /tmp/EAP_13_n.pm    2010-11-18 08:22:06.000000000 +0000
@@ -116,6 +116,7 @@
            {
                # Handshake was not successful
                my $errs = &Net::SSLeay::print_errs();
+                $p->add_attr('EAP-Error', "EAP TLS Handshake unsuccessful: $errs");
                return ($main::REJECT, "EAP TLS Handshake unsuccessful: $errs");
            }
            elsif ($reason == Net::SSLeay::ERROR_WANT_READ)
@@ -137,6 +138,7 @@
                    # Certificate verification failed, keep going
                    # so we tell the client what the problem was
                    my $verify_error_string = &Radius::TLS::verify_error_string($verify_result);
+                   $p->add_attr('EAP-Error', "EAP TLS certificate verification failed: $verify_error_string, $errs");
                    $self->log($main::LOG_INFO, "EAP TLS certificate verification failed: $verify_error_string, $errs", $p);

                }
@@ -144,6 +146,7 @@
                {
                    # Serious TLS error, bail out
                    $self->log($main::LOG_ERR, "EAP TLS error: $ret, $reason, $state, $verify_result, $errs", $p);
+                    $p->add_attr('EAP-Error', "EAP TLS error: $ret, $reason, $state, $verify_result, $errs");
                    &Radius::TLS::contextSessionClear($context);
                    $self->eap_failure($p->{rp}, $context);
                    return ($main::REJECT, "EAP TLS error");
@@ -192,6 +195,7 @@
        {
            &Radius::TLS::contextSessionClear($context);
            $self->eap_failure($p->{rp}, $context);
+            $p->add_attr('EAP-Error', "EAP TLS No peer certificate");
            return ($main::REJECT, 'EAP TLS No peer certificate');
        }
        &Net::SSLeay::X509_free($peer); # get_peer_certificate increments the count
@@ -208,6 +212,7 @@
            {
                &Radius::TLS::contextSessionClear($context);
                $self->eap_failure($p->{rp}, $context);
+                $p->add_attr('EAP-Error', "EAP TLS session resumed by user $context->{tls_authenticated_cn} is not authenticated: $reason");
                return ($main::REJECT, "EAP TLS session resumed by user $context->{tls_authenticated_cn} is not authenticated: $reason");
            }
            $authuser = $user;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20101118/bba2fddf/attachment.html

More information about the radiator mailing list