A more complex version replacing the previous version; this logs the escaped username, possibly useful if it contains various binary nonsense etc. --- src/modules/rlm_eap/eap.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c index e947844..6e2367e 100644 --- a/src/modules/rlm_eap/eap.c +++ b/src/modules/rlm_eap/eap.c @@ -953,6 +953,8 @@ EAP_HANDLER *eap_handler(rlm_eap_t *inst, eap_packet_t **eap_packet_p, eap_packet_t *eap_packet = *eap_packet_p; VALUE_PAIR *vp; + char ident_safe[MAX_STRING_LEN+1], username_safe[MAX_STRING_LEN+1]; + /* * Ensure it's a valid EAP-Request, or EAP-Response. */ @@ -1025,7 +1027,10 @@ EAP_HANDLER *eap_handler(rlm_eap_t *inst, eap_packet_t **eap_packet_p, */ if (strncmp(handler->identity, vp->vp_strvalue, MAX_STRING_LEN) != 0) { - radlog(L_ERR, "rlm_eap: Identity %s does not match User-Name %s. Authentication failed.", handler->identity, vp->vp_strvalue); + librad_safeprint(handler->identity, strlen(handler->identity), ident_safe, MAX_STRING_LEN); + librad_safeprint(vp->vp_strvalue, strlen(vp->vp_strvalue), username_safe, MAX_STRING_LEN); + + radlog(L_ERR, "rlm_eap: Identity %s does not match User-Name %s. Authentication failed.", ident_safe, username_safe); free(*eap_packet_p); *eap_packet_p = NULL; return NULL; @@ -1081,7 +1086,10 @@ EAP_HANDLER *eap_handler(rlm_eap_t *inst, eap_packet_t **eap_packet_p, */ if (strncmp(handler->identity, vp->vp_strvalue, MAX_STRING_LEN) != 0) { - radlog(L_ERR, "rlm_eap: Identity does not match User-Name, setting from EAP Identity."); + librad_safeprint(handler->identity, strlen(handler->identity), ident_safe, MAX_STRING_LEN); + librad_safeprint(vp->vp_strvalue, strlen(vp->vp_strvalue), username_safe, MAX_STRING_LEN); + + radlog(L_ERR, "rlm_eap: Identity %s does not match User-Name %s. Authentication failed.", ident_safe, username_safe); free(*eap_packet_p); *eap_packet_p = NULL; eap_handler_free(handler); -- 1.5.4.1