[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Add TLS version to logs with linelog
From:       Matthew Newton via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date:       2024-04-17 11:14:33
Message-ID: fa4a5b01-9c71-4b69-a5f6-336ea4d10ca7 () freeradius ! org
[Download RAW message or body]

On 17/04/2024 12:06, dominic.stalder@unibe.ch wrote:
> sp {
> Access-Accept = "%t : AuthZ: (%I) Access-Accept: \
> [%{%{reply:User-Name}:-%{User-Name}}] \
> TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} \
> TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} \
> SSID=%{%{request:Called-Station-SSID}:-NULL} \
> Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} \
> Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} \
> Filter-ID=%{%{reply:Filter-Id}:-NULL} \
> VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from \
> client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli \
> %{%{request:Calling-Station-Id}:-Unknown})"

Looks OK at a quite glance.

> And somehow (I really don't know why), it seems to work know:

OK

> (21)       &reply::TLS-Session-Information += \
> &session-state:TLS-Session-Information[*] -> '(TLS) send TLS 1.2 Handshake, \
> Finished' (21)       &reply::TLS-Session-Cipher-Suite += \
> &session-state:TLS-Session-Cipher-Suite[*] -> 'ECDHE-RSA-AES256-GCM-SHA384' (21)    \
> &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.2' \
> (21)     } # update = noop (21)     if (EAP-Message) {
> (21)     if (EAP-Message)  -> TRUE
> (21)     if (EAP-Message)  {
> (21) 802.1x_authz_log: EXPAND sp.%{%{reply:Packet-Type}:-format}
> (21) 802.1x_authz_log:    --> sp.Access-Accept
> (21) 802.1x_authz_log: EXPAND %t : AuthZ: (%I) Access-Accept: \
> [%{%{reply:User-Name}:-%{User-Name}}] \
> TLS-Version=%{%{session-state:TLS-Session-Version}:-NULL} \
> TLS-Ciphers=%{%{session-state:TLS-Session-Cipher-Suite}:-NULL} \
> SSID=%{%{request:Called-Station-SSID}:-NULL} \
> Calling-Station-Id=%{%{request:Calling-Station-Id}:-Unknown} \
> Called-Station-Id=%{%{request:Called-Station-Id}:-Unknown} \
> Filter-ID=%{%{reply:Filter-Id}:-NULL} \
> VLAN=%{%{reply:Tunnel-Private-Group-Id}:-NULL} Class=%{%{reply:Class}:-NULL} (from \
> client %{Client-Shortname} port %{%{request:Nas-Port}:-0} cli \
> %{%{request:Calling-Station-Id}:-Unknown}) (21) 802.1x_authz_log:    --> Wed Apr 17 \
> 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] \
> TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam \
> Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 \
> Filter-ID=staff VLAN=1874 Class=staff (from client \
> cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80) (21) \
> 802.1x_authz_log: EXPAND /var/log/freeradius/authz.log (21) 802.1x_authz_log:    \
> --> /var/log/freeradius/authz.log (21)       [802.1x_authz_log] = ok
> (21)     } # if (EAP-Message)  = ok

...

> Wed Apr 17 12:55:51 2024 : AuthZ: (135) Access-Accept: [dominic.stalder@unibe.ch] \
> TLS-Version=TLS 1.2 TLS-Ciphers=ECDHE-RSA-AES256-GCM-SHA384 SSID=eduroam \
> Calling-Station-Id=6A-05-BD-E0-F2-80 Called-Station-Id=3C-51-0E-72-2A-00 \
> Filter-ID=staff VLAN=1874 Class=staff (from client \
> cisco-wlc-9800-mgmt.wifi.unibe.ch port 4219 cli 6A-05-BD-E0-F2-80)

Looks good.


> As written above, I am sorry "that it works", more so that I don't know why it is \
> working now, because in my opinion I did not really change any thing than before \
> lunch time...

Won't really know without seeing the failure. Could be anything from 
client state issues to wifi timers to an attribute missing that's there 
this time.

> But do we somehow need to close this "discussion" an mark it as resovled or how \
> does this work? __

This is a mailing list... it's working so all's good!

-- 
Matthew

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]