base/protocols/radius/main.zeek¶
-
RADIUS
¶
Implements base functionality for RADIUS analysis. Generates the radius.log file.
Namespace: | RADIUS |
---|---|
Imports: | base/protocols/radius/consts.zeek, base/utils/addrs.zeek |
Summary¶
Types¶
RADIUS::Info : record |
Redefinitions¶
Log::ID : enum |
|
connection : record |
|
likely_server_ports : set &redef |
Events¶
RADIUS::log_radius : event |
Event that can be handled to access the RADIUS record as it is sent on to the logging framework. |
Detailed Interface¶
Types¶
-
RADIUS::Info
¶ Type: - ts:
time
&log
Timestamp for when the event happened.
- uid:
string
&log
Unique ID for the connection.
- id:
conn_id
&log
The connection’s 4-tuple of endpoint addresses/ports.
- username:
string
&log
&optional
The username, if present.
- mac:
string
&log
&optional
MAC address, if present.
- framed_addr:
addr
&log
&optional
The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
- tunnel_client:
string
&log
&optional
Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.
- connect_info:
string
&log
&optional
Connect info, if present.
- reply_msg:
string
&log
&optional
Reply message from the server challenge. This is frequently shown to the user authenticating.
- result:
string
&log
&optional
Successful or failed authentication.
- ttl:
interval
&log
&optional
The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.
- logged:
bool
&default
=F
&optional
Whether this has already been logged and can be ignored.
- ts:
Events¶
-
RADIUS::log_radius
¶ Type: event
(rec:RADIUS::Info
)Event that can be handled to access the RADIUS record as it is sent on to the logging framework.