FreeRADIUS, eduroam logging and Elasticsearch

FreeRADIUS and eduroam logging
Matthew Ntewton

Just keep authentiaton logs, right?

Keep fewer logs.
– where possible

authorize {
if (EAP-Message =~ /^0x02 . . . . . . 01/) {
linelog
}
...
}

recv Access-Request {
if (!&session-state:) {
linelog
}
...
}

recv Access-Request {
if (!&session-state:) {
update session-state {
Tmp-Integer64-1 := "%{expr:(%c*1000) + (%C/1000)}"
}
linelog
}
...
}

server inner-tunnel {
send Access-Accept {
update outer.session-state {
User-Name := &User-Name
}
}
}

send Access-Accept {
update {
control:Tmp-String-1 := “accept”
session-state:Tmp-Integer64-2 := "%{expr:(%c*1000) + (%C/1000)}"
}
update control {
Tmp-Integer64-1 := "%{expr:&session-state:Tmp-Integer64-2 -
&session-state:Tmp-Integer64-1}"
}
linelog
}

default server
recv Access-Request → check session-state, log request
send Access-Accept → log accept
send Access-Reject → log reject
inner-tunnel
send Access-Accept → update session-state
send Access-Reject → update session-state

%T → tme in ISO8601 date format
control:Tmp-String-1 → “request”, “accept” or “reject”
session-state:Module-Failure-Message → inner reject reason
request:User-Name → outer User-Name
request:Calling-Staton-Id → Calling-Staton-Id
request:Operator-Name → operator name
session-state:User-Name → inner User-Name
control:Tmp-Integer64-1 → total auth tme in ms

input {
file {
path => "/path/to/radius/detail/file"
start_positon => "beginning"
type => radiusdetail
codec => multline {
pattern => "^t"
negate => false
what => "previous"
}
}
}

if ("%{redis:LPUSH radius:event '{"tmestamp":"%T",
"type":"%{control:Tmp-String-1}",
"Outer-User-Name":"%{jsonquote:%{User-Name}}",
"User-Name":"%{jsonquote:%{session-state:User-Name}}",
"Calling-Staton-Id":"%{jsonquote:%{Calling-Staton-Id}}",
"latency":"%{control:Tmp-Integer64-1}" %}'}") {
noop
}

input {
redis {
host => "localhost"
port => "6379"
data_type => "list"
key => "radius:event"
threads => 2
codec => "json"
type => "radius"
}
}

authorize {
uri = "${..connect_uri}/radius/_doc/"
method = 'post'
body = 'json'
force_to = 'plain'
data = '{"tmestamp":"%T",
"type":"%{control:Tmp-String-1}",
"Outer-User-Name":"%{jsonquote:%{User-Name}}",
"Calling-Staton-Id":"%{jsonquote:%{Calling-Staton-Id}}",
"Called-Staton-Id":"%{jsonquote:%{Called-Staton-Id}}"}',
"latency":"%{control:Tmp-Integer64-1}"
}

{ "_index" : "radius",
"_type" : "_doc",
"_id" : "Dcr4XWIBag7SnI-grLNi",
"_version" : 1,
"result" : "created",
"_shards": { "total":2,
"successful":1,
"failed":0 },
"_seq_no" : 4578,
"_primary_term" : 3 }

rest
map json &REST-HTTP-Body {
&Tmp-String-2 := "$.result"
&Tmp-Integer-1 := "$._shards.total"
&Tmp-Integer-2 := "$._shards.successful"
&Tmp-Integer-3 := "$._shards.failed"
}
if (&control:Tmp-String-2 != "created" ) {
...
}

https://wiki.freeradius.org/guide/eduroam

FreeRADIUS, eduroam logging and Elasticsearch

FreeRADIUS, eduroam logging and Elasticsearch

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Similar to FreeRADIUS, eduroam logging and Elasticsearch

Similar to FreeRADIUS, eduroam logging and Elasticsearch (20)

Recently uploaded

Recently uploaded (20)

FreeRADIUS, eduroam logging and Elasticsearch