base/protocols/radius/main.zeek¶
-
RADIUS¶
Implements base functionality for RADIUS analysis. Generates the radius.log file.
- Namespace
RADIUS
- Imports
base/protocols/conn/removal-hooks.zeek, base/protocols/radius/consts.zeek, base/utils/addrs.zeek
Summary¶
Types¶
Redefinitions¶
|
|
Events¶
Event that can be handled to access the RADIUS record as it is sent on to the logging framework. |
Hooks¶
RADIUS finalization hook. |
|
Detailed Interface¶
Types¶
-
RADIUS::Info¶ - Type
-
- ts:
time&log Timestamp for when the event happened.
- uid:
string&log Unique ID for the connection.
- id:
conn_id&log The connection’s 4-tuple of endpoint addresses/ports.
- username:
string&log&optional The username, if present.
- mac:
string&log&optional MAC address, if present.
- framed_addr:
addr&log&optional The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
- tunnel_client:
string&log&optional Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.
- connect_info:
string&log&optional Connect info, if present.
- reply_msg:
string&log&optional Reply message from the server challenge. This is frequently shown to the user authenticating.
- result:
string&log&optional Successful or failed authentication.
- ttl:
interval&log&optional The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.
- logged:
bool&default=F&optional Whether this has already been logged and can be ignored.
- ts:
Events¶
-
RADIUS::log_radius¶ - Type
event(rec:RADIUS::Info)
Event that can be handled to access the RADIUS record as it is sent on to the logging framework.