base/protocols/radius/main.zeek

RADIUS

Implements base functionality for RADIUS analysis. Generates the radius.log file.

Namespace:: RADIUS
Imports:: base/protocols/conn/removal-hooks.zeek, base/protocols/radius/consts.zeek, base/utils/addrs.zeek

Summary

Redefinable Options

RADIUS::ports: set &redef

Well-known ports for RADIUS.

Types

RADIUS::Info: record

Redefinitions

`Log::ID`: `enum`	`RADIUS::LOG`
`connection`: `record`	New Fields: `connection` radius: `RADIUS::Info` `&optional`

Events

RADIUS::log_radius: event

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

Hooks

`RADIUS::finalize_radius`: `Conn::RemovalHook`	RADIUS finalization hook.
`RADIUS::log_policy`: `Log::PolicyHook`

Detailed Interface

Redefinable Options

RADIUS::ports 

Type:

Attributes:

Default:

{
   1812/udp
}

Well-known ports for RADIUS.

Types

RADIUS::Info 

Type:

Fields:

ts: time &log: Timestamp for when the event happened.

uid: string &log: Unique ID for the connection.

id: conn_id &log: The connection’s 4-tuple of endpoint addresses/ports.

username: string &log &optional: The username, if present.

mac: string &log &optional: MAC address, if present.

framed_addr: addr &log &optional: The address given to the network access server, if present. This is only a hint from the RADIUS server and the network access server is not required to honor the address.

tunnel_client: string &log &optional: Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel, if present. This is collected from the Tunnel-Client-Endpoint attribute.

connect_info: string &log &optional: Connect info, if present.

reply_msg: string &log &optional: Reply message from the server challenge. This is frequently shown to the user authenticating.

result: string &log &optional: Successful or failed authentication.

ttl: interval &log &optional: The duration between the first request and either the “Access-Accept” message or an error. If the field is empty, it means that either the request or response was not seen.

logged: bool &default = F &optional: Whether this has already been logged and can be ignored.

Events

RADIUS::log_radius 

Type:: event (rec: RADIUS::Info)

Event that can be handled to access the RADIUS record as it is sent on to the logging framework.

Hooks

RADIUS::finalize_radius 

Type:: Conn::RemovalHook

RADIUS finalization hook. Remaining RADIUS info may get logged when it’s called.

RADIUS::log_policy 

Type:: Log::PolicyHook