Documentation

Debug logging directive for outputting variable values and formatted strings to application logs

debug

The debug directive is used to output debug information to the application logs during AAA request processing. It helps troubleshoot policies by showing variable values and formatted strings at debug log level.

Syntax

The debug directive supports three forms:

1. Debug a variable getter

debug vars.test;

Outputs the variable path and its resolved values:

DEBUG Getter 'vars.test' -> Values ["test_value1"]

2. Debug a formatted string

debug "initial: %{vars.test}";

Outputs the format string and its evaluated result:

DEBUG Formatter 'initial: %{vars.test}' -> initial: test_value1

3. Debug with custom logger and context

debug {
    log "AUTHENTICATION";
    context "In authentication log %{vars.test}";
}

Sends the debug message to a specific AAA logger with a custom context message.

Examples

Basic variable debugging

aaa {
    policy "DEFAULT" {
        handler "AUTHENTICATION" {
            authentication {
                modify {
                    vars.username = aaa.identity;
                }

                # Debug the variable
                debug vars.username;

                # Debug with formatted string
                debug "Processing user: %{vars.username}";

                accept;
            }
        }
    }
}

Debugging multivalue attributes

authentication {
    # Debug array values
    debug "The groups are %{user.group[*]} for user %{aaa.identity}";
    debug "🔴 Caching groups %{cache.groups[aaa.identity]} for user %{aaa.identity}";
}

Debugging before and after modifications

authentication {
    modify {
        vars.test = "test_value1";
    }

    debug "initial: %{vars.test}";

    modify {
        vars.test = "test_value2";
    }

    debug "after: %{vars.test}";

    accept;
}

Variable Debugging Behavior

Hierarchical vs. Flat Variables

When debugging variables, the behavior differs between built-in hierarchical variables and user-defined flat variables:

Built-in hierarchical variables (like aaa, user, radius, etc.) can be debugged at any level:

debug aaa;                    # Prints the full aaa context
debug aaa.identity;           # Prints just the identity
debug user;                   # Prints all user variables
debug user.group;             # Prints just the group

User-defined variables (stored in vars) are flat and require the full dotted path:

debug vars.something.else;    # Correct - use the full variable name
debug vars.something;         # Won't work - vars are not hierarchical
debug vars;                   # Won't work - must specify the full variable name

The key difference is that vars.something.else is a single flat variable name (the dots are part of the name), not a nested structure like aaa.identity.

Log Level

Debug messages are logged at the DEBUG log level. To see debug output, ensure your application logging is configured with loglevel debug;:

logging {
    application {
        console {
            loglevel debug;
        }
    }
}