needed for other packet types.
-log:: Logging configuration for `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` packets
-
-In v3, the `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging was
-configured in the main `radiusd.conf` file,
-in the main `log` subsection. That
-limitation meant that the configuration was
-global to FreeRADIUS. i.e. you could not
-have different `link:https://freeradius.org/rfc/rfc2865.html#Access-Request[Access-Request]` logging for
-different virtual server.
-
-The extra configuration in v4 allows for
-increased flexibility.
-
-
-stripped_names:: Log the full
-`link:https://freeradius.org/rfc/rfc2865.html#User-Name[User-Name]` attribute, as it was
-found in the request.
-
-allowed values: {no, yes}
-
-
-
-auth:: Log authentication requests
-to the log file.
-
-allowed values: {no, yes}
-
-
-
-auth_goodpass:: Log "good"
-passwords with the authentication
-requests.
-
-allowed values: {no, yes}
-
-
-
-auth_badpass:: Log "bad"
-passwords with the authentication
-requests.
-
-allowed values: {no, yes}
-
-
-
-msg_goodpass::
-msg_badpass::
-
-Log additional text at the end of the "Login OK" messages.
-for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
-configurations above have to be set to "yes".
-
-The strings below are dynamically expanded, which means that
-you can put anything you want in them. However, note that
-this expansion can be slow, and can negatively impact server
-performance.
-
-
-
session:: Controls how ongoing
(multi-round) sessions are handled
namespace = radius
radius {
Access-Request {
- log {
- stripped_names = no
- auth = no
- auth_goodpass = no
- auth_badpass = no
-# msg_goodpass = ""
-# msg_badpass = ""
- }
session {
# max = 4096
# timeout = 15
# needed for other packet types.
#
Access-Request {
- #
- # log:: Logging configuration for `Access-Request` packets
- #
- # In v3, the `Access-Request` logging was
- # configured in the main `radiusd.conf` file,
- # in the main `log` subsection. That
- # limitation meant that the configuration was
- # global to FreeRADIUS. i.e. you could not
- # have different `Access-Request` logging for
- # different virtual server.
- #
- # The extra configuration in v4 allows for
- # increased flexibility.
- #
- log {
- #
- # stripped_names:: Log the full
- # `User-Name` attribute, as it was
- # found in the request.
- #
- # allowed values: {no, yes}
- #
- stripped_names = no
-
- #
- # auth:: Log authentication requests
- # to the log file.
- #
- # allowed values: {no, yes}
- #
- auth = no
-
- #
- # auth_goodpass:: Log "good"
- # passwords with the authentication
- # requests.
- #
- # allowed values: {no, yes}
- #
- auth_goodpass = no
-
- #
- # auth_badpass:: Log "bad"
- # passwords with the authentication
- # requests.
- #
- # allowed values: {no, yes}
- #
- auth_badpass = no
-
- #
- # msg_goodpass::
- # msg_badpass::
- #
- # Log additional text at the end of the "Login OK" messages.
- # for these to work, the "auth" and "auth_goodpass" or "auth_badpass"
- # configurations above have to be set to "yes".
- #
- # The strings below are dynamically expanded, which means that
- # you can put anything you want in them. However, note that
- # this expansion can be slow, and can negatively impact server
- # performance.
- #
-# msg_goodpass = ""
-# msg_badpass = ""
- }
-
#
# session:: Controls how ongoing
# (multi-round) sessions are handled
# &reply.EAP-Key-Name := &reply.EAP-Session-Id
# }
+ #
+ # Call an instance of `linelog` to log the authentication success
+ # - equivalent to the previous log `auth = yes` option in v3.
+ # See `mods-enabled/linelog` for message formats and destinations.
+ #
+# log_auth_access_accept
+
#
# Remove `Reply-Message` if the response contains an
# `EAP-Message` attribute. Some NAS equipment will
#
eap
+ #
+ # Call an instance of `linelog` to log the authentication failure
+ # - equivalent to the previous log `auth = yes` option in v3.
+ # See `mods-enabled/linelog` for message formats and destinations.
+ #
+# log_auth_access_reject
+
#
# Remove `Reply-Message` if the response contains an
# `EAP-Message` attribute. Some NAS equipment will
} process_radius_sections_t;
typedef struct {
- bool log_stripped_names;
- bool log_auth; //!< Log authentication attempts.
- bool log_auth_badpass; //!< Log failed authentications.
- bool log_auth_goodpass; //!< Log successful authentications.
- char const *auth_badpass_msg; //!< Additional text to append to failed auth messages.
- char const *auth_goodpass_msg; //!< Additional text to append to successful auth messages.
-
fr_time_delta_t session_timeout; //!< Maximum time between the last response and next request.
uint32_t max_session; //!< Maximum ongoing session allowed.
CONF_PARSER_TERMINATOR
};
-static const conf_parser_t log_config[] = {
- { FR_CONF_OFFSET("stripped_names", process_radius_auth_t, log_stripped_names), .dflt = "no" },
- { FR_CONF_OFFSET("auth", process_radius_auth_t, log_auth), .dflt = "no" },
- { FR_CONF_OFFSET("auth_badpass", process_radius_auth_t, log_auth_badpass), .dflt = "no" },
- { FR_CONF_OFFSET("auth_goodpass", process_radius_auth_t, log_auth_goodpass), .dflt = "no" },
- { FR_CONF_OFFSET("msg_badpass", process_radius_auth_t, auth_badpass_msg) },
- { FR_CONF_OFFSET("msg_goodpass", process_radius_auth_t, auth_goodpass_msg) },
-
- CONF_PARSER_TERMINATOR
-};
-
static const conf_parser_t auth_config[] = {
- { FR_CONF_POINTER("log", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) log_config },
-
{ FR_CONF_POINTER("session", 0, CONF_FLAG_SUBSECTION, NULL), .subcs = (void const *) session_config },
CONF_PARSER_TERMINATOR
}
}
-#define RAUTH(fmt, ...) log_request(L_AUTH, L_DBG_LVL_OFF, request, __FILE__, __LINE__, fmt, ## __VA_ARGS__)
-
-/*
- * Return a short string showing the terminal server, port
- * and calling station ID.
- */
-static char *auth_name(char *buf, size_t buflen, request_t *request)
-{
- fr_pair_t *cli;
- fr_pair_t *pair;
- uint32_t port = 0; /* RFC 2865 NAS-Port is 4 bytes */
- char const *tls = "";
- fr_client_t *client = client_from_request(request);
-
- cli = fr_pair_find_by_da(&request->request_pairs, NULL, attr_calling_station_id);
-
- pair = fr_pair_find_by_da(&request->request_pairs, NULL, attr_nas_port);
- if (pair != NULL) port = pair->vp_uint32;
-
- if (request->packet->socket.inet.dst_port == 0) tls = " via proxy to virtual server";
-
- snprintf(buf, buflen, "from client %.128s port %u%s%.128s%s",
- client ? client->shortname : "", port,
- (cli ? " cli " : ""), (cli ? cli->vp_strvalue : ""),
- tls);
-
- return buf;
-}
-
-/*
- * Make sure user/pass are clean and then create an attribute
- * which contains the log message.
- */
-static void CC_HINT(format (printf, 4, 5)) auth_message(process_radius_auth_t const *inst,
- request_t *request, bool goodpass, char const *fmt, ...)
-{
- va_list ap;
-
- bool logit;
- char const *extra_msg = NULL;
-
- char password_buff[128];
- char const *password_str = NULL;
-
- char buf[1024];
- char extra[1024];
- char *p;
- char *msg;
- fr_pair_t *username = NULL;
- fr_pair_t *password = NULL;
-
- /*
- * No logs? Then no logs.
- */
- if (!inst->log_auth) return;
-
- /*
- * Get the correct username based on the configured value
- */
- if (!inst->log_stripped_names) {
- username = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
- } else {
- username = fr_pair_find_by_da(&request->request_pairs, NULL, attr_stripped_user_name);
- if (!username) username = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_name);
- }
-
- /*
- * Clean up the password
- */
- if (inst->log_auth_badpass || inst->log_auth_goodpass) {
- password = fr_pair_find_by_da(&request->request_pairs, NULL, attr_user_password);
- if (!password) {
- fr_pair_t *auth_type;
-
- auth_type = fr_pair_find_by_da(&request->control_pairs, NULL, attr_auth_type);
- if (auth_type) {
- snprintf(password_buff, sizeof(password_buff), "<via Auth-Type = %s>",
- fr_dict_enum_name_by_value(auth_type->da, &auth_type->data));
- password_str = password_buff;
- } else {
- password_str = "<no User-Password attribute>";
- }
- } else if (fr_pair_find_by_da(&request->request_pairs, NULL, attr_chap_password)) {
- password_str = "<CHAP-Password>";
- }
- }
-
- if (goodpass) {
- logit = inst->log_auth_goodpass;
- extra_msg = inst->auth_goodpass_msg;
- } else {
- logit = inst->log_auth_badpass;
- extra_msg = inst->auth_badpass_msg;
- }
-
- if (extra_msg) {
- extra[0] = ' ';
- p = extra + 1;
- if (xlat_eval(p, sizeof(extra) - 1, request, extra_msg, NULL, NULL) < 0) return;
- } else {
- *extra = '\0';
- }
-
- /*
- * Expand the input message
- */
- va_start(ap, fmt);
- msg = fr_vasprintf(request, fmt, ap);
- va_end(ap);
-
- RAUTH("%s: [%pV%s%pV] (%s)%s",
- msg,
- username ? &username->data : fr_box_strvalue("<no User-Name attribute>"),
- logit ? "/" : "",
- logit ? (password_str ? fr_box_strvalue(password_str) : &password->data) : fr_box_strvalue(""),
- auth_name(buf, sizeof(buf), request),
- extra);
-
- talloc_free(msg);
-}
-
/** Keep a copy of some attributes to keep them from being tamptered with
*
*/
PROCESS_TRACE;
- vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_module_success_message);
- if (vp) {
- auth_message(&inst->auth, request, true, "Login OK (%pV)", &vp->data);
- } else {
- auth_message(&inst->auth, request, true, "Login OK");
- }
-
/*
* Check that there is a name which can be used to
* identify the user. The configuration depends on
RESUME(access_reject)
{
- fr_pair_t *vp;
process_radius_t const *inst = talloc_get_type_abort_const(mctx->inst->data, process_radius_t);
PROCESS_TRACE;
- vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_module_failure_message);
- if (vp) {
- auth_message(&inst->auth, request, false, "Login incorrect (%pV)", &vp->data);
- } else {
- auth_message(&inst->auth, request, false, "Login incorrect");
- }
-
fr_state_discard(inst->auth.state_tree, request);
radius_request_pairs_to_reply(request, mctx->rctx);
RETURN_MODULE_OK;
projects / thirdparty / freeradius-server.git / commitdiff
