While detailed logs can be found in the ‘detail’ logs on the RADIUS server, they are both very verbose, logging nearly all RADIUS packets in and out of the server, and also missing all of the logic in the server between the packets. This information is easily visible when running FreeRADIUS in full debugging mode (freeradius -X), but that can generate too much debugging on a busy server, especially when there are no general problems but issues with just one client.

radmin allows a view into the operation of the server without running the entire server in debug mode and without restarting the daemon. It is available in recent versions of the server – 2.2.x or 3.x onwards are fine.

To use radmin, FreeRADIUS has to be running with the control socket enabled. This is found in raddb/sites-available/control-socket, and is usually a matter of just creating a symlink into the sites-enabled directory, as with enabling any other virtual server. The file should also be edited to set ‘mode = rw‘ to enable read-write mode. This may have some security implications if untrusted users have access to your RADIUS server, but you wouldn’t allow that, would you?

To debug a client’s packets, firstly, start up radmin. The directory on the command line is the location of the FreeRADIUS raddb config directory, so on Debian is as follows:

radiusN:/# radmin -d /etc/freeradius
radmin 2.2.0 - FreeRADIUS Server administration tool.
Copyright (C) 2008-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
radmin>

Now set the debug file, which must be relative to the FreeRADIUS log directory (/var/log/freeradius on Debian). Make sure any subdirectory you use already exists:

radmin> debug file tmp/debug
ERROR: Cannot direct debug logs to absolute path
radmin> show debug file
/var/log/freeradius/tmp/debug
radmin>

Note that the error will appear unless the filename has no /’s added, though /var/log/freeradius is always prepended.

On to the debug criteria. This is the single unlang condition that must match the incoming RADIUS packet for that packet’s processing to be debugged. Some examples follow.

radmin> debug condition 'Calling-Station-Id == "aa-bb-cc-dd-ee-ff"'
radmin> show debug condition
(Calling-Station-Id == "aa-bb-cc-dd-ee-ff")
radmin>

radmin> debug condition 'User-Name =~ /^abc/'

The current condition is the last one specified; to match multiple things they must be combined into one expression, such as:

radmin> debug condition '(User-Name =~ /^matthew@/) || (Calling-Station-Id == "aa-bb-cc-dd-ee-ff")'

Finally, watch the debug file that was specified to see debugging for packets that match the condition:

radius:/# tail -F /var/log/freeradius/tmp/debug

Note here that you should not use the debug level option, which will change the debug level for the entire server. If you do then you can cancel it with debug level 0.

Debugging should not be run for longer than necessary, not specifically due to the load put on the server, but because the log files generated will usually not be rotated and can grow fast quickly, depending on the condition specified. To cease the debugging, perform the following:

Clear the debug condition.

radmin> debug condition
radmin> show debug condition
radmin>

Wait a few seconds for the file to finish being written to – if there are outstanding requests there may be more messages such as ‘Debug: Cleaning up request 997318 ID 248 with timestamp +12722’ still written.

Then clear the debug file setting as well:

radmin> debug file
radmin> show debug file
radmin>

Hopefully this will give some insight into how RADIUS processing can be debugged on a live server, without having to resort to running the server in debug mode. It’s a powerful feature and one of the very useful things you get from running FreeRADIUS.

Leave a Reply

Your email address will not be published.