Logging TLS versions for TTLS/EAP

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Logging TLS versions for TTLS/EAP

Sven Hartge-5
Hi!

To gather a deeper insight in what TLS versions are used by clients in
our wireless network, I want to log what MAC address uses what TLS
version (and maybe cipher algorithm, but that is secondary) during the
PEAP or TTLS handshake.

I guess a simple linelog would be sufficient for that task, but, I must
confess, I am a bit lost on what attributes to use for the TLS version
part, if there even *is* a way to log this information.

I'd appreciate a little push in the right direction.

Grüße,
Sven.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Logging TLS versions for TTLS/EAP

Alan DeKok-2
On Aug 12, 2017, at 2:56 PM, Sven Hartge <[hidden email]> wrote:
> To gather a deeper insight in what TLS versions are used by clients in
> our wireless network, I want to log what MAC address uses what TLS
> version (and maybe cipher algorithm, but that is secondary) during the
> PEAP or TTLS handshake.
>
> I guess a simple linelog would be sufficient for that task, but, I must
> confess, I am a bit lost on what attributes to use for the TLS version
> part, if there even *is* a way to log this information.

  It's available in src/main/tls.c, see tls_session_information().  But it's not available as an attribute.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Logging TLS versions for TTLS/EAP

Sven Hartge-5
On 12.08.2017 18:43, Alan DeKok wrote:
> On Aug 12, 2017, at 2:56 PM, Sven Hartge <[hidden email]> wrote:

>> To gather a deeper insight in what TLS versions are used by clients
>> in our wireless network, I want to log what MAC address uses what
>> TLS version (and maybe cipher algorithm, but that is secondary)
>> during the PEAP or TTLS handshake.
>>
>> I guess a simple linelog would be sufficient for that task, but, I
>> must confess, I am a bit lost on what attributes to use for the TLS
>> version part, if there even *is* a way to log this information.

> It's available in src/main/tls.c, see tls_session_information().  But
> it's not available as an attribute.

I see, str_version is the interesting part. But my C-fu is too weak, I
couldn't even start to create a patch to put this into an attribute for
later consumption via unlang.

And running the production servers in debug mode is also not really
feasible.

So this is a dead end for me, isn't it?

Grüße,
Sven.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...