Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
  
[+] Expand All
[-] Collapse All

Displaying Authentication Log Files

You use the Web GUI to enable and display these authentication log files:

  • Successful request authentication log file—The successful request authentication log file identifies the authentication requests that were approved by SBR Carrier.
  • Invalid shared secrets authentication log file—The invalid shared secrets authentication log file identifies the authentication requests that failed because a known RADIUS client supplied an incorrect shared secret. This condition is detectable only if the authentication request contains a Message-Authenticator attribute, which is required if credentials are of an EAP type but optional if credentials are PAP, CHAP, or MS-CHAP.
  • Failed request authentication log file—The failed request authentication log file identifies the authentication requests that were rejected because the user supplied incorrect credentials.
  • Unknown client request authentication log file—The unknown client request authentication log file identifies authentication requests received from unknown RADIUS clients.

File Permissions for Log Files

When you run SBR Carrier, you can specify which users are authorized to read or edit important files, such as authentication and accounting log files. For example, you can specify that system administrators who install and configure SBR Carrier have read/write access for system log files and that network operators who monitor SBR Carrier have read-only (or no) access for system log files.

Security Groups and Permissions

Each file and directory has three security groups associated with it:

  • The Owner identifies the person who created or owns the file.
  • The Group security group identifies the set of users who are members of the group or groups to which the file Owner belongs. Group members can exercise special privileges with respect to that file. A user can belong to more than one group.
  • The Other security group consists of the set of all users who do not belong to Owner or Group.

Each security group has three flags that control what privileges that group can exercise with respect to the file or directory:

  • The Read flag (r) determines whether the file can be read. The Read flag has an octal value of 4.
  • The Write flag (w) determines whether the security group can create, modify, or delete the file. The Write flag has an octal value of 2.
  • The Execute flag (x) determines whether the security group can run a script or executable file. The Execute flag has an octal value of 1.

For example, a file owner might have rwx permission for a file, which indicates the file owner has read/write/execute access to the file. Similarly, Other might have r-- permission (where - indicates no permission), which means that the user can read but not edit or execute the file.

You can add the octal values for permission flags to generate a numeric representation of the file permissions for Owner, Group, and Other:

  • 1 = execute only
  • 2 = write only
  • 3 = write and execute (1+2)
  • 4 = read only
  • 5 = read and execute (4+1)
  • 6 = read and write (4+2)
  • 7 = read,write and execute (4+2+1)

The security permissions exercised by Owner/Group/Other are typically expressed as string or a three-digit number. Table 120 provides examples of different file permissions.

Table 120: File Permissions

Permission

Octal value

What It Means

-rwxrwxrwx

777

Read, write, and executable for Owner/Group/Other

-rw-rw-r--

664

Read and write for Owner/Group; read access for Other

-rw-rw----

660

Read and write for Owner/Group; no access for Other

-rwx------

700

Read, write, and executable for owner only

-rw-rw-rw

666

Read and write for owner, group, and all others

The UNIX chown command lets you change the owner or group (or both) associated with a file or directory. The UNIX chmod command lets you change the permissions of files and directories.

Using the User File Creation Mode Mask

The user file mode creation mode mask (often abbreviated as umask) determines the default file system mode for newly created files of the current process. Solaris hosts typically have a hierarchy of umask values: a server-level umask value, which can be overridden by a user-, shell-, or application-level umask value. The result is an ambient umask value, which determines what file permissions are used when files are created by any given process.

The umask value is a three-digit octal number. The first digit sets the mask for Owner, the second for Group, and the third for Other. The umask value identifies the permissions that are withheld when a file is created: the umask value is subtracted from the full access mode value (777) to determine the access permissions for a new file. For example, if the umask value for a process is set to 022, the Write permission for Group and Other are withheld from the full access mode value (777), resulting in a file permission of 755 (rwxr-xr-x). Similarly, if the umask value of 177 is configured for a process (explicitly or by virtue of the ambient umask), files created by the process have a file permission of 600 (rw-------). Table 121 summarizes the result of using different octal numbers in an umask value.

Table 121: Summary of Umask Permissions

Octal Number

Access

Permission Resulting From umask Value

0

rwx

Read, Write, Execute

1

rw-

Read, Write

2

r-x

Read, Execute only

3

r--

Read only

4

-wx

Write, Execute only

5

-w-

Write only

6

--x

Execute only

7

---

No permissions

The umask value affects a file’s access permissions only when the file is created. If you change the umask value, access permissions for existing files are not affected. Similarly, you can use the chown and chmod commands to change a file’s access permissions after the file has been created.

Implementing Default File Permissions in SBR Carrier

The RADIUSMASK parameter in the sbrd.conf file specifies the application-level umask value used to establish access permissions for all files created by SBR Carrier. Refer to the SBR Carrier Reference Guide for information about configuring the sbrd.conf file.

If you do not specify a value for the RADIUSMASK parameter, SBR Carrier uses the ambient umask value established by the server-, user- or shell-level umask value to determine the access permissions for files it creates.

Some log files have explicit controls that let you override the umask value established by the RADIUSMASK parameter or the ambient umask value. See Implementing Override File Permissions in SBR Carrier for more information about overriding the application-level default umask value.

As previously noted, the umask value affects a file’s access permissions only when the file is created. If you change the RADIUSMASK setting, new files created by SBR Carrier are assigned the access permission specified by the new setting. This includes files that roll over periodically; the existing file would retain the access file permission it received when it was created, and the new file would be assigned the access permission specified by the new RADIUSMASK value.

Note: The Execute file permission value for files created by SBR Carrier is always set to None for Owner, Group, and Other. Thus, an umask value of 0 (no restrictions) is equivalent to an umask value of 1 (read/write permission) for files created by SBR Carrier.

Implementing Override File Permissions in SBR Carrier

To override file permissions established by the SBR Carrier RADIUSMASK or the ambient umask for specific log files, you must modify the LogFilePermissions parameter in the applicable initialization (.ini) file.

Table 122 identifies the configuration file you must modify to configure non-default file permissions for SBR Carrier log files.

Table 122: Configuration Files for Setting Log File Permissions

Controlled Files

Configuration File

Server Diagnostics log (server log)

radius.ini

Authentication Reporting Library accepts log

authReportAccept.ini

Authentication Reporting Library bad shared secret log

authReportBadSharedSecret.ini

Authentication Reporting Library rejects log

authReportReject.ini

Authentication Reporting Library unknown client log

authReportUnknownClient.ini

Authentication Logging Library logs and header check-point logs

authlog.ini

Accounting Library logs and header check-point logs

account.ini

Server Statistics logs and header check-point logs

statlog.ini

The syntax for the LogFilePermissions parameter is:

LogfilePermissions = owner:group mode
  • Specify the owner and group settings by entering character strings or decimal integers, as used for arguments to the UNIX chown(1) command. For example, ralphw:proj, ralphw:120, or 1007:120.
  • Specify the mode setting as a character string or an octal integer. When permissions are specified as a character string, they follow the format that is used by the UNIX ls(1) command; for example, rw-rw-rw-. When permissions are specified as an octal integer, they follow the format used for arguments to the UNIX chmod(1) command; for example, 666.

    Note: You can specify only read/write permissions for a SBR Carrier file. You cannot specify execute permissions for SBR Carrier files.

The value of each LogFilePermissions parameter is read when the SBR Carrier server is started or restarted. The value of the LogfilePermissions parameter in the radius.ini file is also read when you issue a HUP command to the SBR Carrier server.

  • If you enter a valid value for a LogfilePermissions parameter, the ownership and permissions of the controlled log file are set as specified whenever the file is opened or created.
  • If you do not enter a value for a LogfilePermissions parameter, the ownership and permissions of the controlled file are not changed. The controlled file is created using the ownership of the account that is executing the server and the permissions that are derived from the default RADIUSMASK value or from the ambient umask setting. If the file already exists, new information is appended without changing the existing ownership and permissions of the controlled file.
  • If you enter an invalid value for a LogfilePermissions setting, then the ownership of the controlled log file defaults to the effective user/group ID of the server process, normally root:other, and the permissions for the controlled file default to 0600 (-rw-------). This ensures that the affected log file can always be opened without any escalation of file access privileges. Messages similar to the following are logged whenever an explicit file access control is misconfigured:
    Invalid LogfilePermissions specified in radius.ini [Configuration]: -rwx------Server log file permissions defaulted to 0:0 0600

Enabling or Disabling the Authentication Log Files

To enable or disable an authentication log file using the Web GUI:

  1. Select RADIUS Configuration > Reports > Auth Logs.

    The Auth Logs List page (Figure 271) appears.

    Figure 271: Auth Logs List Page

    Auth Logs List Page
  2. Select the logging status column of the authentication log file you want to enable or disable.

    A check box (Figure 272) appears in the logging status column of the selected log file entry.

    Figure 272: Enabling or Disabling the Authentication Log File

    Enabling
or Disabling the Authentication Log File
  3. Select the check box to enable the selected authentication log file.

    Clear the check box to disable the selected authentication log file.

  4. Click Apply to save the configuration.

Viewing the Authentication Log Files

To display an authentication log file using the Web GUI:

  1. Select RADIUS Configuration > Reports > Auth Logs.

    The Auth Logs List page (Figure 271) appears.

  2. Select the type of authentication log file you want to display.

    The Selected Log pane (Figure 273) appears with the View tab selected.

    Figure 273: Selected Log Pane

    Selected Log Pane
  3. Select the log you want to display and click View.

    By default, Web GUI displays the authentication log file 20 lines at a time. To change the number of lines displayed, enter a different number in the Page Size field before you click View.

  4. Click the Prev Page and Next Page buttons to page through the log file.

    To sort the authentication log file, click the appropriate column header.

    To refresh the authentication log file display, click the Refresh button.

Saving the Log Files

To save an authentication log file to a text file using the Web GUI:

  1. Select RADIUS Configuration > Reports > Auth Logs.

    The Auth Logs List page (Figure 271) appears.

  2. Select the type of authentication log file you want to display.

    The Selected Log pane (Figure 273) appears with the View tab selected.

  3. Select the log you want to save and click Save to save the log file.

Searching the Log Files

You can search the SBR Carrier authentication log files to display messages within a specified time range, messages relating to a specific client, or messages relating to a specific user.

To search the authentication log files using the Web GUI:

  1. Select RADIUS Configuration > Reports > Auth Logs.

    The Auth Logs List page (Figure 271) appears.

  2. Select the type of authentication log file you want to display.

    The Selected Log pane (Figure 273) appears with the View tab selected.

  3. Click the Search tab (Figure 274).

    Figure 274: Selected Log Pane—Search

    Selected Log Pane—Search
  4. If you want to search the authentication log file for messages within a specified time range:
    1. Select the Now option button in the From area to search the log file for messages until now.

      Or

      Select the Specific Date option button in the From area and select the specific date and time to specify the ending date and time for the search.

    2. Select the No Limit option button in the To area to search the log file for messages in an infinite starting time.

      Or

      Select the Specific Date option button in the To area and select the specific date and time to specify the starting date and time for the search.

  5. If you want to filter messages relating to a specified RADIUS client, select the RADIUS Client check box and enter the name of the RADIUS client in the RADIUS Client field.
  6. If you want to filter messages relating to a specified user, select the User Name check box and enter the name of the user in the User Name field.
  7. If you want to limit the number of messages to be displayed, enter a number in the Max Returns field.
  8. Click Search.

    The search results are displayed in the right-hand side of the Selected Log pane (Figure 273).

Modified: 2017-09-27