[RADIATOR] DEBUG logging oddities

Karl Gaissmaier karl.gaissmaier at uni-ulm.de
Fri Feb 12 08:51:47 CST 2016 

Hi RADIATOR Team,

I would like to dump the packet attributes within ServerRADSEC or 
AuthRADSEC but without overwhelming packet hexdumps.

Therefore I can't/won't use PacketTrace in the clauses.

I configured a clause specific Logger with 'Trace 4' but the 'sub 
main::willLog' doesn't honor the settings in the clause loggers, instead 
it checks just the global logger(s) und shortcuts the calls to 
recv_debug_dump in the Modules:

> Radius/AuthRADIUS.pm:   $p->recv_debug_dump($self)  if (main::willLog($main::LOG_DEBUG, $p));
> Radius/AuthRADSEC.pm:   $p->recv_debug_dump($self)  if (main::willLog($main::LOG_DEBUG, $p));
> Radius/Client.pm:       $p->recv_debug_dump($self)  if (main::willLog($main::LOG_DEBUG, $p));
> Radius/ServerRADSEC.pm: $tp->recv_debug_dump($self) if (main::willLog($main::LOG_DEBUG, $tp));
>
> #####################################################################
> # Return true if at least one logger is required to log
> # Can be a shortcut to prevent length logging calculations
> sub main::willLog
> {
>   my ($priority, $p) = @_;
>     return 1
>       if ($main::config->{LogStdout}&& ($priority <= $main::config->{Trace}
>          || ($p && $p->{PacketTrace})))
>          || grep $_->willLog($priority, $p), @{$main::config->{Log}};
> }


################################################################################
Please see my stripped down test setting:
################################################################################

> BindAddress 127.0.0.1
> AuthPort 1812
> AcctPort 1813
>
> LogDir /tmp/radiator/log
> DbDir  /tmp/radiator/etc
>
>
> # disable global logfile for tests, in production I use a global file logger and syslog logger with Trace 2
> LogFile
> # I'll just see warnings and errors in the global log or during this tests on stdout
> Trace 2
> Foreground
> LogStdout
>
> PidFile        %D/radiusd.pid
> DictionaryFile %D/my-very-short-dict-for-running-under-perl-debugger
>
> # AuthBy gimmick to define referable, non global loggers, thanks Hugh!
> <AuthBy GROUP>
>   <Log FILE>
>     Identifier DEBUG-LOGGER
>     Trace 4
>     Filename %L/debug-logger
>   </Log>
> </AuthBy>
>
> <AuthBy TEST>
>   Identifier AUTHBY_TEST
> </AuthBy>
>
> <AuthBy RADSEC>
>   # I'm interested in the radius code and attributes, not in SSL hexdumps
>   Log DEBUG-LOGGER
>   Secret radsec
>   Identifier AUTHBY_RADSEC
>
>   UseStatusServerForFailureDetect
>   KeepaliveTimeout 10
>   FailureBackoffTime 10
>   NoreplyTimeout 10
>
>   LocalAddress 127.0.0.1
>   Host 127.0.0.1
>
>   # test settings, in production use valid certs and CN checks!!!
>   UseTLS
>   TLS_CAFile %D/certificates/demoCA/cacert.pem
>   TLS_ExpectedPeerName .*
>
>   TLS_CertificateFile %D/certificates/cert-clt.pem
>   TLS_CertificateType PEM
>   TLS_PrivateKeyFile %D/certificates/cert-clt.pem
>   TLS_PrivateKeyPassword whatever
> </AuthBy>
>
> #################################################################################
>
> <Handler Connect-Info=RADSEC>
>   Identifier HANDLER_FROM_RADSEC
>   AuthBy AUTHBY_TEST
> </Handler>
>
> <Handler Realm=radsec>
>   Identifier HANDLER_TO_RADSEC
>   AuthBy AUTHBY_RADSEC
> </Handler>
>
> <Handler>
>   Identifier HANDLER_DEFAULT
>   AuthBy AUTHBY_TEST
> </Handler>
>
> #################################################################################
>
> <Client DEFAULT>
>   Identifier DEFAULT
>   Secret mysecret
>   Log DEBUG-LOGGER
> </Client>
>
> <ServerRADSEC>
>   # I'm interested in the radius code and attributes, not in SSL hexdumps
>   Log DEBUG-LOGGER
>
>   Identifier RADSEC_SERVER
>   BindAddress 127.0.0.1
>   Port 2083
>   Secret radsec
>
>   AddToRequest Connect-Info=RADSEC
>   AddToReply Connect-Info=RADSEC
>
>   UseTLS
>   TLS_CAFile %D/certificates/demoCA/cacert.pem
>   TLS_CertificateFile %D/certificates/cert-srv.pem
>   TLS_CertificateType PEM
>   TLS_PrivateKeyFile %D/certificates/cert-srv.pem
>   TLS_PrivateKeyPassword whatever
>   TLS_RequireClientCert
>   TLS_ExpectedPeerName .*
> </ServerRADSEC>
> ####################################################################



and then test it with radpwtst

> $ radpwtst -bind_address 127.0.0.1 -s 127.0.0.1 -noacct -auth_port 1812 -user foo at radsec

Any hint how to solve this problem?

Please rethink your &main::willLog(...) and btw, in my opinion, the 
whole logging deserves refactoring ;-(

Maybe, supporting module specific $self->willLog would be proper a path 
to go.

Best Regards
    Charly Gaissmaier

More information about the radiator mailing list