Hi Heikki,
many, many thanks for your example. In last TNC2023 in Tirana I try to
debug some issue with eduroam authentication across very heterogeneous
RADIUS infrastructure.
Also I am fun of opinion of IGNORE (discard) request if RADIUS server
doesnt know answer on auth/acct request for any reason, that give lower
level RADIUS opportunity to found answer somewhere else.
Regards,
Dubravko
On 6/15/23 18:10, Heikki Vatiainen via radiator wrote:
On 9.6.2023 0.45, Dubravko Penezic via radiator wrote:
How to log timeouted requests on RADIATOR when RADIATOR act like proxy
server ?
That's a good question. Here's one solution I came up with:
Start by defining a logger as usual, but ensure it also logs IGNORE result.
# %T is Access-Request, Accounting-Request, etc.
<AuthLog FILE>
Identifier radius-authlog
Filename %L/radius-authlog
LogSuccess
LogFailure
LogIgnore
SuccessFormat %l:%U:%1:OK
FailureFormat %l:%U:%1:FAIL
IgnoreFormat %l:%U:%T:%1:IGNORE
</AuthLog>
Within AuthBy RADIUS define a NoReplyHook:
# The 1st argument is the request that Radiator received
# The 2nd argument is the request that Radiator forwarded
# without receiving a reply.
NoReplyHook sub { my $p = ${$_[0]}; \
# return unless $p->code() eq 'Access-Request'; \
my $al = Radius::AuthLogGeneric::find('radius-authlog'); \
$al->authlog($main::IGNORE, 'Timed out', $p) if $al; \
main::log($main::LOG_ERR, 'NoReplyHook: did not find logger')
unless $al; }
The above logs all timeouts, including Accounting-Request timeouts,
using the file authlogger. If you want just Access-Request to be logged,
remove the comment.
Basically log is written once request have final state, or state is
set by handler, but timeouted request dosnt have finale state.
Correct, that's the reason. But it's ok to get a handle to an
authentication logger and call it as above.
It is "big" issue when you try to "debug" some authentication across
of RADIUS hierarchy and a lot of proxy server on a path is RADIATOR
instance.
A message about timed out request is logged with INFO level but it goes
to the process logfile. The above should help putting all the results in
the same file.
For example FreeRADIUS write FAIL in log if request is timeout.
You can also log with FAIL, but I used IGNORE and a specific reason so
that it's easier to see which messages timed out.
Note that you can also set up an <AuthLog ...> and use it only to call
from NoReplyHook. This allows you to have a separate log file just for
the timed out requests.
Thanks,
Heikki
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
