[RADIATOR] Additional loging for EAP-TLS
Markus Moeller
huaraz at moeller.plus.com
Thu Nov 18 16:10:28 CST 2010
Hi Mike,
You are right. I overlooked that %1 contains the reason. But in some
cases I get only a simple reason e.g. "EAP TLS error" instead of "EAP TLS
error: $ret, $reason, $state, $verify_result, $errs" or when "EAP TLS
certificate verification failed: $verify_error_string, $errs" is logged in
the main logfile it is not in the reason message, it produces "TLS Alert
acknowledged." and I have to search in the logfile for the real reason when
troubleshooting.
Thank you
Markus
----- Original Message -----
From: "Mike McCauley" <mikem at open.com.au>
To: <radiator at open.com.au>
Cc: "Markus Moeller" <huaraz at moeller.plus.com>
Sent: Thursday, November 18, 2010 9:41 PM
Subject: Re: [RADIATOR] Additional loging for EAP-TLS
> Hello Markus,
>
> Thanks for your thoughts.
> EAP-Error is not in the dictionary, and will cause errors when the reply
> is
> packaged will it not?
>
> In any case, I would expect the EAP error reason to be available in the
> reason
> sent to the AuthLog clause.
> Also, if you have RejectHasReason set, I would expect to see the EAP error
> in
> the reply message too.
>
> Cheers.
>
> On Friday 19 November 2010 06:41:05 am Markus Moeller wrote:
>> Hi,
>>
>> I would like to log more than TLS error acknowledged into the access
>> log, but I don't see that the error is stored anywhere. Is the below a
>> good
>> way to do it and use the EAP-Error attribute in the access log deny
>> message
>> ?
>>
>> Thank you
>> Markus
>>
>>
>> --- /tmp/EAP_13.pm 2010-11-18 08:16:53.000000000 +0000
>> +++ /tmp/EAP_13_n.pm 2010-11-18 08:22:06.000000000 +0000
>> @@ -116,6 +116,7 @@
>> {
>> # Handshake was not successful
>> my $errs = &Net::SSLeay::print_errs();
>> + $p->add_attr('EAP-Error', "EAP TLS Handshake
>> unsuccessful:
>> $errs"); return ($main::REJECT, "EAP TLS Handshake unsuccessful:
>> $errs"); }
>> elsif ($reason == Net::SSLeay::ERROR_WANT_READ)
>> @@ -137,6 +138,7 @@
>> # Certificate verification failed, keep going
>> # so we tell the client what the problem was
>> my $verify_error_string =
>> &Radius::TLS::verify_error_string($verify_result); +
>> $p->add_attr('EAP-Error', "EAP TLS certificate verification failed:
>> $verify_error_string, $errs"); $self->log($main::LOG_INFO, "EAP TLS
>> certificate verification failed: $verify_error_string, $errs", $p);
>>
>> }
>> @@ -144,6 +146,7 @@
>> {
>> # Serious TLS error, bail out
>> $self->log($main::LOG_ERR, "EAP TLS error: $ret,
>> $reason, $state, $verify_result, $errs", $p); +
>> $p->add_attr('EAP-Error', "EAP TLS error: $ret, $reason, $state,
>> $verify_result, $errs"); &Radius::TLS::contextSessionClear($context);
>> $self->eap_failure($p->{rp}, $context);
>> return ($main::REJECT, "EAP TLS error");
>> @@ -192,6 +195,7 @@
>> {
>> &Radius::TLS::contextSessionClear($context);
>> $self->eap_failure($p->{rp}, $context);
>> + $p->add_attr('EAP-Error', "EAP TLS No peer certificate");
>> return ($main::REJECT, 'EAP TLS No peer certificate');
>> }
>> &Net::SSLeay::X509_free($peer); # get_peer_certificate increments
>> the count @@ -208,6 +212,7 @@
>> {
>> &Radius::TLS::contextSessionClear($context);
>> $self->eap_failure($p->{rp}, $context);
>> + $p->add_attr('EAP-Error', "EAP TLS session resumed by
>> user
>> $context->{tls_authenticated_cn} is not authenticated: $reason"); return
>> ($main::REJECT, "EAP TLS session resumed by user
>> $context->{tls_authenticated_cn} is not authenticated: $reason"); }
>> $authuser = $user;
>
>
>
> --
> Mike McCauley mikem at open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474 Fax +61 7 5598-7070
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare
> etc.
>
>
More information about the radiator
mailing list