Hi Mike, You are right. I overlooked that %1 contains the reason. But in some cases I get only a simple reason e.g. "EAP TLS error" instead of "EAP TLS error: $ret, $reason, $state, $verify_result, $errs" or when "EAP TLS certificate verification failed: $verify_error_string, $errs" is logged in the main logfile it is not in the reason message, it produces "TLS Alert acknowledged." and I have to search in the logfile for the real reason when troubleshooting.
Thank you Markus ----- Original Message ----- From: "Mike McCauley" <[email protected]> To: <[email protected]> Cc: "Markus Moeller" <[email protected]> Sent: Thursday, November 18, 2010 9:41 PM Subject: Re: [RADIATOR] Additional loging for EAP-TLS > Hello Markus, > > Thanks for your thoughts. > EAP-Error is not in the dictionary, and will cause errors when the reply > is > packaged will it not? > > In any case, I would expect the EAP error reason to be available in the > reason > sent to the AuthLog clause. > Also, if you have RejectHasReason set, I would expect to see the EAP error > in > the reply message too. > > Cheers. > > On Friday 19 November 2010 06:41:05 am Markus Moeller wrote: >> Hi, >> >> I would like to log more than TLS error acknowledged into the access >> log, but I don't see that the error is stored anywhere. Is the below a >> good >> way to do it and use the EAP-Error attribute in the access log deny >> message >> ? >> >> Thank you >> Markus >> >> >> --- /tmp/EAP_13.pm 2010-11-18 08:16:53.000000000 +0000 >> +++ /tmp/EAP_13_n.pm 2010-11-18 08:22:06.000000000 +0000 >> @@ -116,6 +116,7 @@ >> { >> # Handshake was not successful >> my $errs = &Net::SSLeay::print_errs(); >> + $p->add_attr('EAP-Error', "EAP TLS Handshake >> unsuccessful: >> $errs"); return ($main::REJECT, "EAP TLS Handshake unsuccessful: >> $errs"); } >> elsif ($reason == Net::SSLeay::ERROR_WANT_READ) >> @@ -137,6 +138,7 @@ >> # Certificate verification failed, keep going >> # so we tell the client what the problem was >> my $verify_error_string = >> &Radius::TLS::verify_error_string($verify_result); + >> $p->add_attr('EAP-Error', "EAP TLS certificate verification failed: >> $verify_error_string, $errs"); $self->log($main::LOG_INFO, "EAP TLS >> certificate verification failed: $verify_error_string, $errs", $p); >> >> } >> @@ -144,6 +146,7 @@ >> { >> # Serious TLS error, bail out >> $self->log($main::LOG_ERR, "EAP TLS error: $ret, >> $reason, $state, $verify_result, $errs", $p); + >> $p->add_attr('EAP-Error', "EAP TLS error: $ret, $reason, $state, >> $verify_result, $errs"); &Radius::TLS::contextSessionClear($context); >> $self->eap_failure($p->{rp}, $context); >> return ($main::REJECT, "EAP TLS error"); >> @@ -192,6 +195,7 @@ >> { >> &Radius::TLS::contextSessionClear($context); >> $self->eap_failure($p->{rp}, $context); >> + $p->add_attr('EAP-Error', "EAP TLS No peer certificate"); >> return ($main::REJECT, 'EAP TLS No peer certificate'); >> } >> &Net::SSLeay::X509_free($peer); # get_peer_certificate increments >> the count @@ -208,6 +212,7 @@ >> { >> &Radius::TLS::contextSessionClear($context); >> $self->eap_failure($p->{rp}, $context); >> + $p->add_attr('EAP-Error', "EAP TLS session resumed by >> user >> $context->{tls_authenticated_cn} is not authenticated: $reason"); return >> ($main::REJECT, "EAP TLS session resumed by user >> $context->{tls_authenticated_cn} is not authenticated: $reason"); } >> $authuser = $user; > > > > -- > Mike McCauley [email protected] > Open System Consultants Pty. Ltd > 9 Bulbul Place Currumbin Waters QLD 4223 Australia > http://www.open.com.au > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare > etc. > > _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
