[RADIATOR] UNS: Re: Best way to log timeout requests

Dubravko Penezic dpenezic at srce.hr
Thu Jun 15 17:02:54 UTC 2023 

Hi Heikki,

many, many thanks for your example. In last TNC2023 in Tirana I try to 
debug some issue with eduroam authentication across very heterogeneous 
RADIUS infrastructure.

Also I am fun of opinion of IGNORE (discard) request if RADIUS server 
doesnt know answer on auth/acct request for any reason, that give lower 
level RADIUS opportunity to found answer somewhere else.

Regards,
Dubravko

On 6/15/23 18:10, Heikki Vatiainen via radiator wrote:
> On 9.6.2023 0.45, Dubravko Penezic via radiator wrote:
> 
>> How to log timeouted requests on RADIATOR when RADIATOR act like proxy 
>> server  ?
> 
> That's a good question. Here's one solution I came up with:
> 
> Start by defining a logger as usual, but ensure it also logs IGNORE result.
> 
> # %T is Access-Request, Accounting-Request, etc.
> <AuthLog FILE>
>          Identifier radius-authlog
>          Filename %L/radius-authlog
>          LogSuccess
>          LogFailure
>          LogIgnore
>          SuccessFormat %l:%U:%1:OK
>          FailureFormat %l:%U:%1:FAIL
>          IgnoreFormat %l:%U:%T:%1:IGNORE
> </AuthLog>
> 
> Within AuthBy RADIUS define a NoReplyHook:
> 
> # The 1st argument is the request that Radiator received
> # The 2nd argument is the request that Radiator forwarded
> # without receiving a reply.
> NoReplyHook sub { my $p = ${$_[0]}; \
> #     return unless $p->code() eq 'Access-Request'; \
>       my $al = Radius::AuthLogGeneric::find('radius-authlog'); \
>       $al->authlog($main::IGNORE, 'Timed out', $p) if $al; \
>       main::log($main::LOG_ERR, 'NoReplyHook: did not find logger') 
> unless $al; }
> 
> The above logs all timeouts, including Accounting-Request timeouts, 
> using the file authlogger. If you want just Access-Request to be logged, 
> remove the comment.
> 
>> Basically log is written once request have final state, or state is 
>> set by handler, but timeouted request dosnt have finale state.
> 
> Correct, that's the reason. But it's ok to get a handle to an 
> authentication logger and call it as above.
> 
>> It is "big" issue when you try to "debug" some authentication across 
>> of RADIUS hierarchy and a lot of proxy server on a path is RADIATOR 
>> instance.
> 
> A message about timed out request is logged with INFO level but it goes 
> to the process logfile. The above should help putting all the results in 
> the same file.
> 
>> For example FreeRADIUS write FAIL in log if request is timeout.
> 
> You can also log with FAIL, but I used IGNORE and a specific reason so 
> that it's easier to see which messages timed out.
> 
> Note that you can also set up an <AuthLog ...> and use it only to call 
> from NoReplyHook. This allows you to have a separate log file just for 
> the timed out requests.
> 
> Thanks,
> Heikki
>

More information about the radiator mailing list