[RADIATOR] Additional loging for EAP-TLS

Mike McCauley mikem at open.com.au
Thu Nov 18 15:41:22 CST 2010


Hello Markus,

Thanks for your thoughts.
EAP-Error is not in the dictionary, and will cause errors when the reply is 
packaged will it not?

In any case, I would expect the EAP error reason to be available in the reason 
sent to the AuthLog clause.
Also, if you have RejectHasReason set, I would expect to see the EAP error in 
the reply message too.

Cheers.

On Friday 19 November 2010 06:41:05 am Markus Moeller wrote:
> Hi,
>
>    I would like to log more than TLS error acknowledged into the access
> log, but I don't see that the error is stored anywhere. Is the below a good
> way to do it and use the EAP-Error attribute in the access log deny message
> ?
>
> Thank you
> Markus
>
>
> --- /tmp/EAP_13.pm      2010-11-18 08:16:53.000000000 +0000
> +++ /tmp/EAP_13_n.pm    2010-11-18 08:22:06.000000000 +0000
> @@ -116,6 +116,7 @@
>             {
>                 # Handshake was not successful
>                 my $errs = &Net::SSLeay::print_errs();
> +                $p->add_attr('EAP-Error', "EAP TLS Handshake unsuccessful:
> $errs"); return ($main::REJECT, "EAP TLS Handshake unsuccessful: $errs"); }
>             elsif ($reason == Net::SSLeay::ERROR_WANT_READ)
> @@ -137,6 +138,7 @@
>                     # Certificate verification failed, keep going
>                     # so we tell the client what the problem was
>                     my $verify_error_string =
> &Radius::TLS::verify_error_string($verify_result); +                  
> $p->add_attr('EAP-Error', "EAP TLS certificate verification failed:
> $verify_error_string, $errs"); $self->log($main::LOG_INFO, "EAP TLS
> certificate verification failed: $verify_error_string, $errs", $p);
>
>                 }
> @@ -144,6 +146,7 @@
>                 {
>                     # Serious TLS error, bail out
>                     $self->log($main::LOG_ERR, "EAP TLS error: $ret,
> $reason, $state, $verify_result, $errs", $p); +                   
> $p->add_attr('EAP-Error', "EAP TLS error: $ret, $reason, $state,
> $verify_result, $errs"); &Radius::TLS::contextSessionClear($context);
>                     $self->eap_failure($p->{rp}, $context);
>                     return ($main::REJECT, "EAP TLS error");
> @@ -192,6 +195,7 @@
>         {
>             &Radius::TLS::contextSessionClear($context);
>             $self->eap_failure($p->{rp}, $context);
> +            $p->add_attr('EAP-Error', "EAP TLS No peer certificate");
>             return ($main::REJECT, 'EAP TLS No peer certificate');
>         }
>         &Net::SSLeay::X509_free($peer); # get_peer_certificate increments
> the count @@ -208,6 +212,7 @@
>             {
>                 &Radius::TLS::contextSessionClear($context);
>                 $self->eap_failure($p->{rp}, $context);
> +                $p->add_attr('EAP-Error', "EAP TLS session resumed by user
> $context->{tls_authenticated_cn} is not authenticated: $reason"); return
> ($main::REJECT, "EAP TLS session resumed by user
> $context->{tls_authenticated_cn} is not authenticated: $reason"); }
>             $authuser = $user;



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list