[RADIATOR] Log all request and reply attributes
Heikki Vatiainen
hvn at open.com.au
Wed Dec 14 12:58:01 UTC 2022
On 13.12.2022 11.15, Alexander Hartmaier via radiator wrote:
> the following code works like a charm:
>
> $message->{radius}->{request} = $p->get_attrs; \
> # don't leak the TACACS+ key \
> delete $message->{radius}->{request}->{TACACSPLUSKey}; \
> $message->{radius}->{response} = $p->{rp}->get_attrs; \
>
> Note that the request packet contains the cleartext TACACSPLUSKey. Can
> you obscure or remove that like it happens for the User-Password?
Here's what I get with <Log FILE> + LogFormatHook that calls
Data::Dumper's Dumper($p->get_attrs):
$VAR1 = {
"Calling-Station-Id" => "testclient",
"NAS-IP-Address" => "127.0.0.1",
"NAS-Identifier" => "TACACS",
"NAS-Port-Id" => 123,
"OSC-TACACS-Action" => 1,
"OSC-TACACS-Authen-Type" => 2,
"OSC-TACACS-Privilege-Level" => 0,
"OSC-TACACS-Service" => 0,
"OSC-Version-Identifier" => 193,
"User-Name" => "mikem",
"User-Password" => "**obscured**",
"cisco-avpair" => [
"action=1",
"authen_type=2",
"priv-lvl=0",
"service=0"
]
};
Could it be that there's something in your local configuration that adds
TACACSPLUSKey in the attributes? I don't see it in my testing and I also
don't expect it to be present in the request's attribute list.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list