This functionality was never defined in a standard and so varies from vendor to vendor. If this functionality is supported by the NAS (Network Access Server), then the NAS will copy the command entered by the user into a VSA (Vendor Specific Attribute). The NAS will then send that attribute to the RADIUS server in an Accounting-Request/Interim-Update along with attributes to identify the NAS and user. You will likely need to enable command logging via RADIUS explicitly in the NAS' configuration as it is almost never enabled by default.
For logging commands it's best to use the linelog module. You'll also need a conditional check to only call linelog if the command attribute is present in the Accounting-Request/Interim-Update packet, as these command logging packets will be mixed in with the normal accounting stream.
I've used HP-Command-String as the example attribute here, but the actual attribute will vary from vendor to vendor. You should examine the incoming Accounting-Request packets to see which VSA contains the command the user issued.
Add the following lines to your FreeRADIUS configuration files, and ensure mods-available/linelog is linked to mods-enabled/linelog.
sites-available/default
accounting {
if (&HP-Command-String) {
log_commands
}
}
mods-available/linelog
linelog log_commands {
format = "user=%{User-Name}, command=%{HP-Command-String}"
filename = ${logdir}/radius.log
}
After you restart freeradius you should see commands being appended to /var/log/radius/radius.log or /var/log/freeradius/radius.log depending on your distribution.
See mods-available/linelog for more confirmation options for the linelog module.
