Home > User Interface > Auditing > RADIUS Audit Logs

RADIUS Audit Logs

Menu path: Auditing.> RADIUS Audit Logs.

RADIUS messages use AVPs (attribute-value-pairs) to describe requests and responses. It is a mature set of specifications with a large number of AVPs. In most cases A3 displays a subset of the AVPs with authentication and A3-specific interpretation. A useful description of the most common RADIUS AVPs can be found at ftp://ftp.gnu.org/old-gnu/Manuals/radius/html_chapter/radius_16.html and the complete details may be found at https://freeradius.org/rfc/attributes.html.

The view offers selectable columns (with the symbol); the initial default columns are:

Created At
ID
Auth Status
MAC Address
IP Address
Is a Phone
Client Status
User Name
Unique ID
NAS IP Address

Audit log entries can be searched with a Simple Search or Advanced Search, based on the position of the slider. Simple searches consist of a search for MAC address or user name, whereas advanced searches use multiple search conditions.

Clicking on any entry displays information about that log entry, as discussed in RADIUS Log Entry.

RADIUS Log Entry

The RADIUS log entry columns that may be selected with the icon are shown below. Selecting an individual log entry will display the data for that entry in three tabs:

Client Information
Device Information
RADIUS

Client Information


Label	Usage
MAC Address	The MAC address of the client.
Auth Status	The authentication status of the client. One of: Accept, Reject, Disconnect ACK, Disconnect NAK, or Reject.
Auth Type	The authentication type used for the client. One of eap, no eap, or accept (used for MAC authentication).
Auto-Registration	Indicates whether the client was automatically registered. See Connection Profiles.
Calling Station Identifier	The MAC address of the client requesting access.
Computer Name	The name of the computer requesting access, if applicable.
EAP Type	The type of EAP used in the authentication. The A3-supported types are defined in RADIUS Configuration
IP Address	The IP address of the client, if available in the RADIUS messages
Is a Phone	Indicates whether the client is a VoIP phone.
Client Status	The registration status of the client. One of: reg (registered), unreg (unregistered), or pending.
Domain	The domain used for authentication.
Profile	The connection profile used for the authentication.
Realm	The realm used for the authentication.
Reason	The description for an authentication failure.
Role	The role for the client.
Source	The authentication source used for the authentication.
Request Time	The time of the RADIUS request.
User Name	The full user name used for authentication.
Unique Identifier	The unique RADIUS ID for the message.
Created At	The date and time at which the log entry was made.

Device Information


Label	Usage
Device identifier	The IP address of the device used in authentication.
Device MAC Address	The MAC address for the device used in authentication.
Device IP Address	The IP address of the device used in authentication.
Called Station Identifier	The MAC address of the destination that the client tried to reach as well as the SSID for wireless.
Connection type	The connection mechanism. The possible values are Wireless-802.11-EAP, Wireless-802.11-NoEAP, Ethernet-EAP, Ethernet-NoEAP, SNMP-Traps, Inline, or Ethernet-NoEAP.
Ifindex	Interface index on the device.
NAS Identifier	An identifier for the device.
NAS IP Address	The IP address of the device
NAS Port Identifier	The port number on the device, if applicable.
NAS Port Type	The type of port used on the device.
RADIUS Source IP Address	The IP address of the client that received the RADIUS request.
Wi-Fi Network SSID	For a wireless connection, the SSID used to connect to the client.

RADIUS


Label	Usage
Request Time	The time of the RADIUS request.
RADIUS Request	The request message.
RADIUS Reply	The reply message.

Simple Search

The simple search choice offers a straightforward means of searching user entries:

Type any text into the Search by MAC or user name box and press the button. Any client entry whose MAC Address or user name contains the text will be displayed in the list.
The search box and the listing are reset back to the complete list via the button.
Export to CSV - the results of the current search are saved to a file named radiuslogs.csv. Previous output is not overwritten; new versions are labeled radiuslogs(1).csv, radiuslogs(2).csv, etc.

Advanced Search

Click the slider to access the advanced searches page. Multiple or conditions are joined together with and conjunctions. Each element of an or set may be deleted with the symbol or reordered by selecting the item's symbol. Reordering may occur across or sets.

Several facilities exist for saving and using saved searches:

In the drop-down:
- Use the Save Search choice to name and save the current search conditions.
- Previously saved searches are available in the list as well.
- Saved searches will be listed along the left-hand edge of the screen.
- The search terms may also be exported or imported in JSON format.
- the results of the current search are saved to a file named radiuslogs.csv. Previous output is not overwritten; new versions are labeled radiuslogs(1).csv, radiuslogs(2).csv, etc.

Each condition has three parts:

Log entry property - one of the characteristics of the log entry. Choose from the full list of elements in the drop-down list.
Compare operation - one of:
- is - matches the comparison string
- is not - does not match the comparison string
- starts with - starts with the comparison string
- ends with - ends with the comparison string
- matches - the user element is matched against a regular expression (regexp). Regexp is a powerful language for expressing string matches. An introduction to regexps is found here. A simple search is the equivalent of using the matches operation with the equivalent text.

Comparison string or choice - the string or choice to match against or use as a regular expression.