GH-209: replace "remote_ip" field of radius.log with "tunnel_client"

The type of the field also changed from "addr" to "string" because the former cannot represent all possible values of the Tunnel-Client-Endpoint attribute, which may include FQDNs, not just IP addresses.
2025-10-02 06:38:20 +00:00 · 2019-06-05 11:11:49 -07:00 · 2019-06-05 11:11:49 -07:00 · ed113918e7
commit ed113918e7
parent 80fe3d5583
4 changed files with 19 additions and 13 deletions
--- a/scripts/base/protocols/radius/main.zeek
+++ b/scripts/base/protocols/radius/main.zeek
@ -24,9 +24,10 @@ export {
 		## and the network access server is not required to honor 
 		## the address.
 		framed_addr  : addr     &log &optional;
-		## Remote IP address, if present.  This is collected
-		## from the Tunnel-Client-Endpoint attribute.
-		remote_ip    : addr     &log &optional;
+		## Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
+		## if present.  This is collected from the Tunnel-Client-Endpoint
+		## attribute.
+		tunnel_client: string   &log &optional;
 		## Connect info, if present.
 		connect_info : string   &log &optional;
 		## Reply message from the server challenge. This is 
@ -85,8 +86,8 @@ event radius_message(c: connection, result: RADIUS::Message) &priority=5
 					c$radius$mac = normalize_mac(result$attributes[31][0]);

 				# Tunnel-Client-EndPoint (useful for VPNs)
-				if ( ! c$radius?$remote_ip && 66 in result$attributes )
-					c$radius$remote_ip = to_addr(result$attributes[66][0]);
+				if ( ! c$radius?$tunnel_client && 66 in result$attributes )
+					c$radius$tunnel_client = result$attributes[66][0];

 				# Connect-Info
 				if ( ! c$radius?$connect_info && 77 in result$attributes )