
Hands-On Lab: Monitoring, Logging & Troubleshooting in FreeRADIUS
====================================================================================

Lab Objectives:
---------------
- Use diagnostic tools like radtest to simulate authentication
- Analyze real authentication attempts using FreeRADIUS logs
- Identify and resolve common configuration and runtime issues in an eduroam IdP setup

Part 1: Simulate User Authentication with radtest
--------------------------------------------------

1. Ensure FreeRADIUS is running in debug mode:
   sudo freeradius -xX

2. Use radtest to simulate PAP authentication:
   radtest testuser@institution.ac.ke testpass localhost 0 testing123

3. Use radtest to simulate MSCHAPv2 authentication:
   radtest -t mschap testuser@institution.ac.ke testpass localhost 0 testing123

4. Observe output in terminal running freeradius -xX.

Expected Result:
----------------
- A response of 'Access-Accept' or 'Access-Reject'
- Logs showing EAP stages, SQL/LDAP lookups, and any processing errors

Part 2: Analyze FreeRADIUS Logs
-------------------------------

1. Check primary log file:
   cat /var/log/freeradius/radius.log

2. Look for common patterns:
   - "Login OK": successful authentication
   - "User not found": user not in database or directory
   - "rlm_eap: SSL error": certificate/TLS issues

3. Inspect accounting logs (if enabled):
   ls /var/log/freeradius/radacct/

4. Use journalctl if using systemd:
   journalctl -u freeradius -b

Part 3: Simulate and Resolve Authentication Issues
--------------------------------------------------

Scenario 1: User Not Found
--------------------------
- Simulate with an incorrect username:
  radtest unknownuser@institution.ac.ke testpass localhost 0 testing123

- Expected error: "User not found" in logs

- Resolution: Add user via daloRADIUS or insert into radcheck manually

Scenario 2: Wrong Password
--------------------------
- Simulate with wrong password:
  radtest testuser@institution.ac.ke wrongpass localhost 0 testing123

- Expected: Access-Reject

- Resolution: Reset user password in DB or daloRADIUS

Scenario 3: EAP Method Mismatch
-------------------------------
- Simulate with misconfigured client using unsupported EAP type

- Expected: "eap: Unknown EAP type" or "tls: Failed in ..."

- Resolution:
  - Ensure client uses PEAP, TTLS, or TLS
  - Check mods-enabled/eap configuration

Scenario 4: Realm Not Routed
----------------------------
- Use a foreign realm without proxy.conf entry

- Expected: No route found for realm

- Resolution: Add realm to proxy.conf or setup national proxy forwarding

Scenario 5: Invalid Shared Secret
---------------------------------
- Mismatch in clients.conf and NAS

- Resolution: Confirm secrets match between FreeRADIUS and client device

Part 4: Best Practices Summary
------------------------------
- Always run initial tests with radtest before real deployment
- Use `freeradius -xX` for real-time, line-by-line debugging
- Keep logs rotated and secure (logrotate)
- Monitor with daloRADIUS (optional)
- Validate certs regularly and ensure CRLs are not expired

End
