[RADIATOR] How do I log all reply attributes sent for an Access-Accept?

Heikki Vatiainen hvn at open.com.au
Wed Apr 11 13:41:19 CDT 2012 

On 04/10/2012 10:42 PM, Linuxchuck wrote:

> I'm looking for a way to log all possible Reply attributes to my authlog file.  I use many different types of VSAs, and would rather not have to scrub through all of my configs just to manually add each named Reply attribute to my <AuthLog FILE> stanza.

Hmm, I do not think this has been requested before or such functionality
currently exists directly.

You could try the following PostAuthHook to collect all reply attributes
to a pseudo attribute in request and logging the whole thing from
request with:
SuccessFormat   %l: [%{GlobalVar:DevType}] [%n] [%c] [%{NAS-IP-Address}]
[%{Calling-Station-Id}] Accept %{Request:X-Reply-Attrs}

Here's an example hook. You can add attributes you do not want to see in
the logs to ignore list.

PostAuthHook file:"combine-reply-attrs-hook.pl"

sub {
    my $p = ${$_[0]};      # Request packet
    my $rp = ${$_[1]};     # Response packet

    my @ignored = qw(EAP-Message Some-Other-Attribute);

    my ($i, $all) = (0, '');
    while (my ($name, $value) = $rp->get_attr_val_n($i++)) {
	next if grep {$_ eq $name} @ignored;
	$all .= "$name=$value, ";
    }
    $all =~ s/, $//; # Remove trailing ', '
    $p->add_attr("X-Reply-Attrs", $all);
}


Please let us know how this works.
Heikki


> Here's what I currently have:
> 
> <AuthLog FILE>
>          Identifier      AuthLogger
>          Filename        /var/log/Radiator/authlog
>          SuccessFormat   %l: [%{GlobalVar:DevType}] [%n] [%c] [%{NAS-IP-Address}] [%{Calling-Station-Id}] Accept %{Reply:Class}
>          FailureFormat   %l: [%{GlobalVar:DevType}] [%n] [%c] [%{NAS-IP-Address}] [%{Calling-Station-Id}] Reject - %1
>          LogSuccess      1
>          LogFailure      1
> </AuthLog>
> 
> This works just great if all I want to see is the Class attribute reply in my logfiles.  I see the Class assigned to any user if there is one right at the end of any Access-Accept line in my logs.
> 
> However, I have at least a dozen different reply attributes I'd like to track.  Since I'm not a perl guru by any stretch of the imagination, I'd love to know if there is some sort of secret-sauce I can stick in that reply variable to make it ... well ... Variable.
> 
> Here's a quick list off of the top of my head to give you an idea of the types of Replies I have it sending out:
> Class
> Framed-IP-Address
> (Vendor)-Group-Name
> (Vendor)-Interface-Name
> Service-Type
> and so-on, and so-forth...
> 
> Oh... and no, I don't want to turn up the Trace just for this...  :-P
> 
> Thanks in advance!
> 
> Chuck
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list