[RADIATOR] logging PEAP and TTLS outer tunnels

Tuure Vartiainen vartiait at open.com.au
Thu Nov 1 10:24:17 UTC 2018 

Hello,

> On 30 Oct 2018, at 21.53, Eric W. Bates <ericx at whoi.edu> wrote:
> 
> I can't quite figure out how to log the outer tunnel failures for PEAP
> and TTLS. We're getting "EAP PEAP TLS read failed" and I'd like to try
> and suss it out.
> 
> I've created an AuthLog, but I don't quite know where to use it.
> 

the error is available in a reject reason which can be logged in AuthLog.

Ref: http://www.open.com.au/radiator/ref/FailureFormat_AuthLogFILE.html#Filename_AuthLogFILE-3


A config example where reason is logged with AuthLog FILE.


#####################################################################
# RADIUS request logging
#####################################################################
# This auth logger logs both success and failure to a file. Ignored
# attempts are also logged.
<AuthLog FILE>
    Identifier authlog-file

    Filename %L/authentication.log
    LogSuccess
    LogFailure
    LogIgnore

    SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' result='OK'
    FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' result='FAIL'
    IgnoreFormat  %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' \
                  handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' \
                  called-station='%{Called-Station-Id}' reason='%1' result='IGNORE'
</AuthLog>

<Handler ...>
    Identifier Some-Handler

    AuthBy ...

    AuthLog authlog-file
</Handler>


BR
-- 
Tuure Vartiainen <vartiait at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list