module-failure-message in exec module

[Franks Andy (RLZ) IT Systems Engineer]

Hi all,
  Trying to use the provided ntlm_auth exec module to authenticate users
where the NAS uses pap, which works fine. I just want to improve my
error reporting and pick up the return string from the failure of the
module, .e.g -
Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Looking around on the internet it seems I might use something like:

Auth-Type NTLM_AUTH {
                ntlm_auth
               if (ok) {
               }
               else {
                update reply {
                        reply-message += "%{Module-Failure-Message}"
                        }
               }
        }

But the else statement never seems to get processed :

Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)
[ntlm_auth] Exec: program returned: 1
++[ntlm_auth] returns reject
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}

Questions are - does the exec module return to the
Module-Failure-Message variable or another I can use, and why doesn't it
process the subsection of the auth-type section on failure?

Thanks
Andy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130606/54218af9/attachment.html>