More detailed login failures on linelog
R3DNano
r3dnano at gmail.com
Wed Feb 20 09:24:31 CET 2019
I tried with this in the inner-tunnel server post-auth section:
Post-Auth-Type REJECT {
# log failed authentications in SQL, too.
-sql
attr_filter.access_reject
#
# Let the outer session know which module failed, and why.
#
update outer.session-state {
&Module-Failure-Message :=
&request:Module-Failure-Message
}
update outer.session-state {
&User-Name := &User-Name
}
}
Regardless, it does show me the output of the eap module, instead of the
pap module which is the one that has that detail I need "password does not
match "known good" password"
The other option you mention is ulang: Where? in the pap module? and
finally you mention patching the code, which is a bit out of my league :)
Cheers
On Tue, Feb 19, 2019 at 1:33 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Feb 19, 2019, at 6:11 AM, R3DNano <r3dnano at gmail.com> wrote:
> >
> > I have been playing around with linelog in order to send all the status
> via
> > rsyslog to a remote machine and it has been working pretty well.
> > What I still don't manage to get is how to have more detailed
> > authentication failure messages in order to troubleshoot what went wrong.
> > I'm currently using %{Module-Failure-Message}, but i only get stuff like
> > "EAP module failure" instead of something more useful like "username is
> not
> > found in ldap" or "Password incorrect"
> > How can I do this?
>
> "not found in LDAP" isn't an authentication failure. "Password
> incorrect" is, and is likely available in the inner-tunnel virtual server.
>
> You can add Module-Failure-Message yourself via "unlang", or patch the
> source to add it in some modules.
>
> Otherwise, the server produces the messages it produces. And it only
> produces Module-Failure-Message for a few modules.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list