proxy results in linelog

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

proxy results in linelog

Users mailing list
Greetings FR-users,

Our setup is to proxy auth requests to an off-site radius system.

I've got pre-proxy logs going via linelog. (Thanks Matthew Newton and Alan!)

I'd like to log the accept or reject from the proxy. From running the
server in debug I see:

(13) Received Access-Accept Id 178 from 10.0.0.1:1812 to 192.168.0.1:44377
length 51

I'd like to get the result ("accept" or "Access-Accept") and the home
server ("10.0.0.1") in the linelog configs.

I've looked at the man page for unlang, but didn't find anything that
looked like it applied.

My current linelog configuration looks like:

[...]
messages {
        Access-Request = "%S Access Request for user for:
[%{%{User-Name}:-User-Name not set}] via client
[%{%{Called-Station-Id}:-Called-Station-Id not set}] from user station
[%{%{Calling-Station-Id}:-Calling-Station-Id not set}]"
}
[...]

What is the best way to get the results of the proxy to linelog? Or is
linelog the best place to log these results?

Thanks for any help!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: proxy results in linelog

Alan DeKok-2
On Dec 14, 2020, at 3:49 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
> I'd like to log the accept or reject from the proxy. From running the
> server in debug I see:
>
> (13) Received Access-Accept Id 178 from 10.0.0.1:1812 to 192.168.0.1:44377
> length 51
> ...
> What is the best way to get the results of the proxy to linelog? Or is
> linelog the best place to log these results?

  See the post-proxy section.  Put a "linelog" there.  It will log the replies from the home server.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: proxy results in linelog

Users mailing list
Hi Alan,

On Mon, Dec 14, 2020 at 2:55 PM Alan DeKok <[hidden email]>
wrote:

> On Dec 14, 2020, at 3:49 PM, Matt Zagrabelny via Freeradius-Users <
> [hidden email]> wrote:
> > I'd like to log the accept or reject from the proxy. From running the
> > server in debug I see:
> >
> > (13) Received Access-Accept Id 178 from 10.0.0.1:1812 to
> 192.168.0.1:44377
> > length 51
> > ...
> > What is the best way to get the results of the proxy to linelog? Or is
> > linelog the best place to log these results?
>
>   See the post-proxy section.  Put a "linelog" there.  It will log the
> replies from the home server.
>

I should have mentioned that I did put the linelong in post-proxy.

I do get two messages (I've got linelog entered for both pre & post proxy):

2020-12-14 13:46:04 Access Request for user for: [bob] via client
[192.168.0.1] from user station [68.115.93.161]
2020-12-14 13:46:04 Access Request for user for: [bob] via client
[192.168.0.1] from user station [68.115.93.161]

...but, I don't see how to get the result and home server. Is my linelog
configuration (mentioned in my initial email) interfering with the logging
behavior you are expecting to see?

Thanks,

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: proxy results in linelog

Alan DeKok-2
On Dec 14, 2020, at 4:25 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
>
> I should have mentioned that I did put the linelong in post-proxy.

  With the same configuration as for the other sections?

  The "linelog" configuration has:

        reference = "messages.%{%{reply:Packet-Type}:-default}"

  Which if used in the "post-proxy" section, will look at the reply.  Not that the *proxy* reply.

  See "man unlang".  You can look at "proxy-request:Packet-Type" or "proxy-reply:Packet-Type"

> I do get two messages (I've got linelog entered for both pre & post proxy):
>
> 2020-12-14 13:46:04 Access Request for user for: [bob] via client
> [192.168.0.1] from user station [68.115.93.161]
> 2020-12-14 13:46:04 Access Request for user for: [bob] via client
> [192.168.0.1] from user station [68.115.93.161]
>
> ...but, I don't see how to get the result and home server. Is my linelog
> configuration (mentioned in my initial email) interfering with the logging
> behavior you are expecting to see?

  If the linelog configuration only looks at the reply for Packet-Type, then it will only print out messages for that.  If you want it to look at the proxied packets, then you have to tell it to look at the proxied packets.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: proxy results in linelog

Users mailing list
On Mon, Dec 14, 2020 at 3:43 PM Alan DeKok <[hidden email]>
wrote:

>
>   If the linelog configuration only looks at the reply for Packet-Type,
> then it will only print out messages for that.  If you want it to look at
> the proxied packets, then you have to tell it to look at the proxied
> packets.
>

Okay. I understand more. Thank you for the explanation. For anyone (like
me!) in the future who might benefit, here are my configs:

in mods-available/linelog...

    reference = "messages.%{%{proxy-reply:Packet-Type}:-default}"
    messages {
        Access-Accept = "%S Accepted User: [%{%{User-Name}:-User-Name not
set}] via client [%{%{Called-Station-Id}:-Called-Station-Id not set}] from
user station [%{%{Calling-Station-Id}:-Calling-Station-Id not set}]"
        Access-Reject = "%S Rejected User: [%{%{User-Name}:-User-Name not
set}] via client [%{%{Called-Station-Id}:-Called-Station-Id not set}] from
user station [%{%{Calling-Station-Id}:-Calling-Station-Id not set}]"
    }

and add

linelog

to post-proxy section in sites-available/default

One last question...

Where do I look in the docs to find out what the "home server" is? That is,
how to use xlat to add it to my log message configuration?

Thank you!

-m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: proxy results in linelog

Alan DeKok-2
On Dec 14, 2020, at 6:31 PM, Matt Zagrabelny via Freeradius-Users <[hidden email]> wrote:
>
> Where do I look in the docs to find out what the "home server" is? That is,
> how to use xlat to add it to my log message configuration?

 %{home_server:foo}

  Where "foo" is a configuration item from the "home_server" section in the configuration files.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html