Search code examples
freeradius

How to include freeradius attribute Framed-IP-Address into logs

I want to log authentication requests and want to include attribute Framed-IP-Address in the logs. Here is my config in the radiusd.conf:

msg_goodpass = "wifi: %{Virtual-Server}, auth-type: %{control:Auth-Type}, client IP: %{Framed-IP-Address}, device: %{NAS-Identifier} (%{NAS-IP-Address}), authentication result: %{Module-Return-Code}"
msg_badpass = "wifi: %{Virtual-Server}, auth-type:%{control:Auth-Type}, client IP: %{Framed-IP-Address}, device: %{NAS-Identifier} (%{NAS-IP-Address}), authentication result: %{Module-Return-Code}"

All attributes and their values are visible on my log server except for the Framed-IP-Address. Is there something wrong with this config?

Solution

  • There are multiple lists of attributes associated with a request. Typically Framed-IP-Address is in the reply list, though in some rare cases it can be included in Access-Request and accounting requests.

    You might also be trying to just get the IP address of the device sending RADIUS packets.

    So the question here is what you're actually trying to access:

    • If you're trying to access the IP address you're sending for assignment to the wireless client use %{reply:Framed-IP-address}

    • If you're trying to access the src IP from the RADIUS packet, use %{Packet-Src-IP-Address}.

    • If you're expecting the IP address of the wireless client to be included in Access-Requests, which is why you're using %{Framed-IP-Address}, then talk to the NAS vendor about why it's not being included in Access-Request packets. Though I wouldn't usually expect Framed-IP-Address to be available unless this was authentication for something like a captive portal, where DHCP runs before the wireless client authenticated.

    Or you could be misunderstanding what the purpose of the msg_goodpass and msg_badpass configuration items is.

    msg_goodpass and msg_badpass are only evaluated when processing Access-Request packets, when sending an Access-Accept or Access-Reject. msg_goodpass and msg_badpass are not evaluated when processing Accounting-Request packets, which are the packets which appear to contain the Framed-IP-Address value in your case.

    You can use the linelog module to generate custom syslog messages from Accounting-Requests using the same expansion syntax as msg_goodpass and msg_badpass.

    There are a couple of examples here. Just configure an instance of linelog, and call it in the accounting section of your virtual server i.e.

    accounting {
    linelog
}