base/protocols/radius/main.zeek¶
-
RADIUS¶
Implements base functionality for RADIUS analysis. Generates the radius.log file.
| Namespace: | RADIUS |
|---|---|
| Imports: | base/protocols/radius/consts.zeek, base/utils/addrs.zeek |
Summary¶
Types¶
RADIUS::Info: record |
Redefinitions¶
Log::ID: enum |
|
connection: record |
|
likely_server_ports: set &redef |
Events¶
RADIUS::log_radius: event |
Event that can be handled to access the RADIUS record as it is sent on to the logging framework. |
Detailed Interface¶
Types¶
-
RADIUS::Info¶ Type: - ts:
time&log Timestamp for when the event happened.
- uid:
string&log Unique ID for the connection.
- id:
conn_id&log The connection’s 4-tuple of endpoint addresses/ports.
- username:
string&log&optional The username, if present.
- mac:
string&log&optional MAC address, if present.
- framed_addr:
addr&log&optional The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.
- tunnel_client:
string&log&optional Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.
- connect_info:
string&log&optional Connect info, if present.
- reply_msg:
string&log&optional Reply message from the server challenge. This is frequently shown to the user authenticating.
- result:
string&log&optional Successful or failed authentication.
- ttl:
interval&log&optional The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.
- logged:
bool&default=F&optional Whether this has already been logged and can be ignored.
- ts:
Events¶
-
RADIUS::log_radius¶ Type: event(rec:RADIUS::Info)Event that can be handled to access the RADIUS record as it is sent on to the logging framework.