Logmanager documentation
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Logmanager documentation
  2. /
  3. Log source devices configuration
  4. /
  5. FreeRADIUS

FreeRADIUS

FreeRADIUS is a modular software, which is used for the authentication of users within a local network, but also in the roaming mode. By default, the package includes a Radius server, the client application, development libraries, and a number of minor utilities.

All information about the status of the server can be logged using the Syslog server, which can be configured to send all of the data to the Logmanager server.

Configuring FreeRADIUS server

  1. Edit the FreeRADIUS server configuration file /etc/freeradius/radiusd.conf.

  2. See the section Logging section and verify that it contains the following parameters: (the default configuration file contains these parameters):

    destination = syslog
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth_badpass = no
auth_goodpass = no

  3. The following parameters need to be changed (as opposed to the configuration file). Configuration recommended for Freeradius 2.x:

    auth = yes
msg_goodpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";vlan:\"%{reply:Tunnel-Private-Group-Id}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\";session_timeout:\"%{reply:Session-Timeout}\";max_simultaneous_connections:\"%{check:Simultaneous-Use}\""
msg_badpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\";max_simultaneous_connections:\"%{check:Simultaneous-Use}\""

    The following parameters need to be changed (as opposed to the configuration file). Configuration recommended for Freeradius 3.x:

    auth = yes
msg_goodpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasid:\"%{request:NAS-Identifier}\";srcipaddress:\"%{request:Packet-Src-IP-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";vlan:\"%{reply:Tunnel-Private-Group-Id}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\";session_timeout:\"%{reply:Session-Timeout}\""
msg_badpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasid:\"%{request:NAS-Identifier}\";srcipaddress:\"%{request:Packet-Src-IP-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\""

  4. A sample of the complete configuration of FreeRADIUS server. Configuration recommended for Freeradius 2.x:

    log {
    destination = syslog
    file = ${logdir}/radius.log
    syslog_facility = daemon
    stripped_names = no
    auth_badpass = no
    auth_goodpass = no
    auth = yes
    msg_goodpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasid:\"%{request:NAS-Identifier}\";srcipaddress:\"%{request:Packet-Src-IP-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";vlan:\"%{reply:Tunnel-Private-Group-Id}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\";session_timeout:\"%{reply:Session-Timeout}\""
    msg_badpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasid:\"%{request:NAS-Identifier}\";srcipaddress:\"%{request:Packet-Src-IP-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\""
}

    A sample of the complete configuration of FreeRADIUS server. Configuration recommended for Freeradius 3.x:

    log {
   destination = syslog
   file = ${logdir}/radius.log
   syslog_facility = daemon
   stripped_names = no
   auth_badpass = no
   auth_goodpass = no
   auth = yes
   msg_goodpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasid:\"%{request:NAS-Identifier}\";srcipaddress:\"%{request:Packet-Src-IP-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";vlan:\"%{reply:Tunnel-Private-Group-Id}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\";session_timeout:\"%{reply:Session-Timeout}\""
   msg_badpass = "authenticationtype:\"%{control:Auth-Type}\";nasipv4address:\"%{request:NAS-IP-Address}\";nasipv6address:\"%{request:NAS-IPv6-Address}\";nasid:\"%{request:NAS-Identifier}\";srcipaddress:\"%{request:Packet-Src-IP-Address}\";nasport:\"%{request:NAS-Port-Id}\";nasporttype:\"%{request:NAS-Port-Type}\";calledstationid:\"%{request:Called-Station-Id}\";callingstationid:\"%{request:Calling-Station-Id}\""
}

  5. Restart the FreeRADIUS server with the command:

    /etc/init.d/freeradius restart

This completes the configuration of the FreeRADIUS server. Now continue with configuring Syslog-NG.

Configuring the Syslog-NG server

There are two configuration options. The first option is sending all messages, which are available in the service Syslog-NG to the Logmanager system. The second option is sending only messages from the FreeRADIUS server.

Sending all messages to the Logmanager

If you want to set up sending all messages from Syslog-NG, follow the chapter Linux Syslog-NG.

Sending only FreeRADIUS messages to the Logmanager server

If you want to set up sending only the FreeRADIUS messages, please do the following steps:

  1. According to the chapter Linux Syslog-NG, check the settings of the parameters: source and @include.

  2. Create a file /etc/syslog-ng/conf.d/freeradius-ssh-forward-toLM.conf.

  3. Paste the following code into it:

    # what program will filter
filter f_freeradius { program(freeradius) or program(sshd); };

# logging destination on the Logmanager server
destination d_logmanager { tcp("<Logmanager_IP_address>" port(514)); };

# action, i.e. sending the FreeRADIUS message to the Logmanager server
log { source(s_src); filter(f_freeradius); destination(d_logmanager); };
    Logmanager_IP_address is the IP address of your Logmanager server.

  4. Restart the Syslog-NG server with the command:

    /etc/init.d/syslog-ng restart