Hello Markus,
Thanks for your thoughts.
EAP-Error is not in the dictionary, and will cause errors when the reply is
packaged will it not?
In any case, I would expect the EAP error reason to be available in the reason
sent to the AuthLog clause.
Also, if you have RejectHasReason set, I would expect to see the EAP error in
the reply message too.
Cheers.
On Friday 19 November 2010 06:41:05 am Markus Moeller wrote:
> Hi,
>
> I would like to log more than TLS error acknowledged into the access
> log, but I don't see that the error is stored anywhere. Is the below a good
> way to do it and use the EAP-Error attribute in the access log deny message
> ?
>
> Thank you
> Markus
>
>
> --- /tmp/EAP_13.pm 2010-11-18 08:16:53.000000000 +0000
> +++ /tmp/EAP_13_n.pm 2010-11-18 08:22:06.000000000 +0000
> @@ -116,6 +116,7 @@
> {
> # Handshake was not successful
> my $errs = &Net::SSLeay::print_errs();
> + $p->add_attr('EAP-Error', "EAP TLS Handshake unsuccessful:
> $errs"); return ($main::REJECT, "EAP TLS Handshake unsuccessful: $errs"); }
> elsif ($reason == Net::SSLeay::ERROR_WANT_READ)
> @@ -137,6 +138,7 @@
> # Certificate verification failed, keep going
> # so we tell the client what the problem was
> my $verify_error_string =
> &Radius::TLS::verify_error_string($verify_result); +
> $p->add_attr('EAP-Error', "EAP TLS certificate verification failed:
> $verify_error_string, $errs"); $self->log($main::LOG_INFO, "EAP TLS
> certificate verification failed: $verify_error_string, $errs", $p);
>
> }
> @@ -144,6 +146,7 @@
> {
> # Serious TLS error, bail out
> $self->log($main::LOG_ERR, "EAP TLS error: $ret,
> $reason, $state, $verify_result, $errs", $p); +
> $p->add_attr('EAP-Error', "EAP TLS error: $ret, $reason, $state,
> $verify_result, $errs"); &Radius::TLS::contextSessionClear($context);
> $self->eap_failure($p->{rp}, $context);
> return ($main::REJECT, "EAP TLS error");
> @@ -192,6 +195,7 @@
> {
> &Radius::TLS::contextSessionClear($context);
> $self->eap_failure($p->{rp}, $context);
> + $p->add_attr('EAP-Error', "EAP TLS No peer certificate");
> return ($main::REJECT, 'EAP TLS No peer certificate');
> }
> &Net::SSLeay::X509_free($peer); # get_peer_certificate increments
> the count @@ -208,6 +212,7 @@
> {
> &Radius::TLS::contextSessionClear($context);
> $self->eap_failure($p->{rp}, $context);
> + $p->add_attr('EAP-Error', "EAP TLS session resumed by user
> $context->{tls_authenticated_cn} is not authenticated: $reason"); return
> ($main::REJECT, "EAP TLS session resumed by user
> $context->{tls_authenticated_cn} is not authenticated: $reason"); }
> $authuser = $user;
--
Mike McCauley [email protected]
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
[email protected]
http://www.open.com.au/mailman/listinfo/radiator
