FreeRadius Auth Method variables

classic Classic list List threaded Threaded
5 messages Options
| Threaded
Open this post in threaded view
|

FreeRadius Auth Method variables

Sep0lkit
I want to log user auth-method(PAP/CHAP/EAP-TLS/EAP-PEAP),  i search the
freeradius website and google, but there is nothing.

i think this variables is very useful,  may this features add in future?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Auth Method variables

Alan DeKok-2
On Nov 20, 2019, at 4:35 AM, Sep0lkit <[hidden email]> wrote:
>
> I want to log user auth-method(PAP/CHAP/EAP-TLS/EAP-PEAP),  i search the
> freeradius website and google, but there is nothing.
>
> i think this variables is very useful,  may this features add in future?

  There is no variable which holds the authentication method.

  The logic is basically this:

        if User-Password exists
                it's PAP
        else if CHAP-Password exists
                then it's CHAP
        else if MS-CHAP-* attributes exist
                then it's MS-CHAP
        else if EAP-Message exists
                then the EAP-Type attribute contains the EAP type
        else
                the packet is likely rejected

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Auth Method variables

Sep0lkit
Thanks your reply,
i try to got this variables using run-time variables and  conditional
syntax, but it returns attribute value.

and on eap it auth method in options, so i can't got the inner eap auth
method(eap-tls).

freeradius auth know which auth method returns "known good",  it can set
the auth method variables.

all above is my think, maybe ture.

thanks for your reply agine.

Alan DeKok <[hidden email]> 于2019年11月20日周三 下午8:23写道:

> On Nov 20, 2019, at 4:35 AM, Sep0lkit <[hidden email]> wrote:
> >
> > I want to log user auth-method(PAP/CHAP/EAP-TLS/EAP-PEAP),  i search the
> > freeradius website and google, but there is nothing.
> >
> > i think this variables is very useful,  may this features add in future?
>
>   There is no variable which holds the authentication method.
>
>   The logic is basically this:
>
>         if User-Password exists
>                 it's PAP
>         else if CHAP-Password exists
>                 then it's CHAP
>         else if MS-CHAP-* attributes exist
>                 then it's MS-CHAP
>         else if EAP-Message exists
>                 then the EAP-Type attribute contains the EAP type
>         else
>                 the packet is likely rejected
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Auth Method variables

Alan DeKok-2
On Nov 20, 2019, at 9:01 AM, Sep0lkit <[hidden email]> wrote:
>
> Thanks your reply,
> i try to got this variables using run-time variables and  conditional
> syntax, but it returns attribute value.

  You can test if an attribute exits:

        if (&CHAP-Password) {
                ...
        }

> and on eap it auth method in options, so i can't got the inner eap auth
> method(eap-tls).

  If it's EAP-TLS, there's no inner auth method.

  If it's TTLS or PEAP, you can use the same logic in the "inner-tunnel" virtual server to determine the inner authentication method.

> freeradius auth know which auth method returns "known good",  it can set
> the auth method variables.

  No, FreeRADIUS just runs the same logic I said before.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: FreeRadius Auth Method variables

Sep0lkit
Got it,
I will try this with your method.  thanks a lot.

Alan DeKok <[hidden email]> 于2019年11月20日周三 下午10:04写道:

> On Nov 20, 2019, at 9:01 AM, Sep0lkit <[hidden email]> wrote:
> >
> > Thanks your reply,
> > i try to got this variables using run-time variables and  conditional
> > syntax, but it returns attribute value.
>
>   You can test if an attribute exits:
>
>         if (&CHAP-Password) {
>                 ...
>         }
>
> > and on eap it auth method in options, so i can't got the inner eap auth
> > method(eap-tls).
>
>   If it's EAP-TLS, there's no inner auth method.
>
>   If it's TTLS or PEAP, you can use the same logic in the "inner-tunnel"
> virtual server to determine the inner authentication method.
>
> > freeradius auth know which auth method returns "known good",  it can set
> > the auth method variables.
>
>   No, FreeRADIUS just runs the same logic I said before.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html