base/protocols/radius/main.zeek

RADIUS

Implements base functionality for RADIUS analysis. Generates the radius.log file.

Namespace

RADIUS

Imports

base/protocols/conn/removal-hooks.zeek, base/protocols/radius/consts.zeek, base/utils/addrs.zeek

Summary

Types

RADIUS::Info: record

Redefinitions

Log::ID: enum

connection: record

New Fields

connection

radius: RADIUS::Info &optional

likely_server_ports: set &redef

Events

RADIUS::log_radius: event

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

Hooks

RADIUS::finalize_radius: Conn::RemovalHook

RADIUS finalization hook.

RADIUS::log_policy: Log::PolicyHook

Detailed Interface

Types

RADIUS::Info
Type

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

username: string &log &optional

The username, if present.

mac: string &log &optional

MAC address, if present.

framed_addr: addr &log &optional

The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.

tunnel_client: string &log &optional

Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.

connect_info: string &log &optional

Connect info, if present.

reply_msg: string &log &optional

Reply message from the server challenge. This is frequently shown to the user authenticating.

result: string &log &optional

Successful or failed authentication.

ttl: interval &log &optional

The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.

logged: bool &default = F &optional

Whether this has already been logged and can be ignored.

Events

RADIUS::log_radius
Type

event (rec: RADIUS::Info)

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

Hooks

RADIUS::finalize_radius
Type

Conn::RemovalHook

RADIUS finalization hook. Remaining RADIUS info may get logged when it’s called.

RADIUS::log_policy
Type

Log::PolicyHook