base/protocols/radius/main.zeek

RADIUS

Implements base functionality for RADIUS analysis. Generates the radius.log file.

Namespace:RADIUS
Imports:base/protocols/radius/consts.zeek, base/utils/addrs.zeek

Summary

Events

RADIUS::log_radius: event Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

Detailed Interface

Types

RADIUS::Info
Type:

record

ts: time &log

Timestamp for when the event happened.

uid: string &log

Unique ID for the connection.

id: conn_id &log

The connection’s 4-tuple of endpoint addresses/ports.

username: string &log &optional

The username, if present.

mac: string &log &optional

MAC address, if present.

framed_addr: addr &log &optional

The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.

tunnel_client: string &log &optional

Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.

connect_info: string &log &optional

Connect info, if present.

reply_msg: string &log &optional

Reply message from the server challenge. This is frequently shown to the user authenticating.

result: string &log &optional

Successful or failed authentication.

ttl: interval &log &optional

The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.

logged: bool &default = F &optional

Whether this has already been logged and can be ignored.

Events

RADIUS::log_radius
Type:event (rec: RADIUS::Info)

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.