Documentation

trace

Enable or disable per-request AAA pipeline tracing

trace

The trace action enables or disables detailed tracing for the current AAA request context. When enabled, Radiator logs each action execution and pipeline stage completion for the request, allowing you to trace the complete processing flow without enabling trace-level logging globally.

Syntax

trace on;
trace off;

Parameters

ValueDescription
onEnables tracing for the current request context
offDisables tracing for the current request context

Behavior

When trace on; is executed:

  • All subsequent actions in the pipeline are logged with detailed execution information
  • Pipeline stage completions (pre, main, post, final) are logged
  • Trace entries are logged at TRACE level but bypass the log level filter, so they appear in production logs without requiring trace-level logging globally

When trace off; is executed:

  • Tracing is disabled for the current request context
  • Subsequent actions are no longer logged unless global trace logging is enabled
  • Generally not required since the trace setting is per-request

The trace setting persists for the entire request processing, including across handler invocations within the same context.

Trace Log Output

See Pipeline trace logging for details on the log entry fields produced when tracing is enabled.

Examples

Conditional tracing for specific users

Enable tracing only for a specific user to troubleshoot authentication issues:

aaa {
    policy "DEFAULT" {
        handler "AUTHENTICATION" {
            pre-authentication {
                if all {
                    aaa.identity == "alice";
                } then {
                    trace on;
                }
            }

            authentication {
                backend {
                    name "USERS";
                    query "FIND_USER";
                }

                pap;
            }
        }
    }
}

Tracing requests from specific clients

Enable tracing for requests from a specific NAS:

pre-authentication {
    if all {
        radius.request.attr.NAS-IP-Address == 10.1.2.4;
    } then {
        trace on;
    }
}

Filtering trace logs

Use jq to filter JSON logs by context ID to see all trace entries for a single request:

jq -c 'select(.fields.context_id == "abc123")' radiator-server.log

Use Cases

  • Production troubleshooting: Enable tracing for specific users or clients without increasing log verbosity for all traffic
  • Debugging authentication failures: Trace requests that match certain criteria to understand the processing flow
  • Performance analysis: Use action_duration_micros to identify slow actions in the pipeline
  • debug - Output debug information to application logs
  • log - Log transactions with AAA logger
  • Logging - Log storage and formatting overview