PEAP / mschapv2 Error Messages

[Garber, Neal]

> Depends on the NAS. But yeah, doing this breaks things. The best thing you > can do is log the error in the post-auth section.

In V1 of FR, the rlm_mschap module used to create a Module-Failure-Message request attribute containing the output of ntlm_auth, if ntlm_auth failed (rlm_ldap does this too on user not found).  This code was removed in V2.  I've tried adding it back in but it doesn't work because in V2 another trip occurs after the failure.  So, the Module-Failure-Message attribute no longer exists when the reject is issued.

I'd like to capture the ntlm_auth output for logging purposes and need it available when the reject is sent.  I've thought about storing it in the eap handler so it survives the next trip; but, I'm not sure if this is the best alternative.  Does this seem like a reasonable solution or can you think of a better approach?  

Just to be clear, I'm not proposing sending this info back to the NAS, just capturing it for logging (so that if the user calls our help desk, they can determine why the authentication failed by looking in the log).

Thanks for your advice..