Hi Alan,
unfortunately not, see log below
If you tell that it works, I must do an error somewhere.
LOG:
Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_method = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
(7) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
(7) mschap : External script failed.
(7) ERROR: mschap : External script says: Logon failure (0xc000006d)
(7) ERROR: mschap : MS-CHAP2-Response is incorrect
(7) [mschap] = reject
(7) } # Auth-Type MS-CHAP = reject
(7) eap : Freeing handler
(7) [eap] = reject
(7) } # authenticate = reject
(7) Failed to authenticate the user.
(7) Using Post-Auth-Type Reject
(7) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(7) Post-Auth-Type REJECT {
(7) ? if (Module-Failure-Message =~ /.*Password Expired.*/i)
(7) ? if (Module-Failure-Message =~ /.*Password Expired.*/i) -> FALSE
(7) ? elsif (Module-Failure-Message =~ /.*Logon failure.*/i)
(7) ? elsif (Module-Failure-Message =~ /.*Logon failure.*/i) -> TRUE
(7) elsif (Module-Failure-Message =~ /.*Logon failure.*/i) {
(7) update outer.reply {
(7) Reply-Message += "Wrong Username or Password"
(7) } # update outer.reply = noop
(7) } # elsif (Module-Failure-Message =~ /.*Logon failure.*/i) = noop
(7) attr_filter.access_reject : expand: "%{User-Name}" -> 'RIF\oppciqws'
(7) attr_filter.access_reject : Matched entry DEFAULT at line 11
(7) [attr_filter.access_reject] = updated
(7) } # Post-Auth-Type REJECT = updated
} # server inner-tunnel
8) Failed to authenticate the user.
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/freeradius/sites-enabled/default
(8) Post-Auth-Type REJECT {
(8) sql : expand: ".query" -> '.query'
(8) sql : Using query template 'query'
rlm_sql (sql): Reserved connection (4)
(8) sql : expand: "%{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}}" -> 'oppciqws'
(8) sql : SQL-User-Name set to 'oppciqws'
(8) sql : expand: "hostname" -> 'hostname'
(8) sql : expand: "INSERT INTO radpostauth (username, realm, mac_address,ssid, access_point, reply, message, authdate, server) VALUES ( '%{toupper:%{SQL-User-Name}}', '%{Realm}', '%{Calling-Station-Id}', '%{toupper:%{Called-Station-SSID}}', '%{NAS-Identifier}', '%{reply:Packet-Type}', '%{reply:Reply-Message}', '%S', '%{config:hostname}')" -> 'INSERT INTO radpostauth (username, realm, mac_address,ssid, access_point, reply, message, authdate, server) VALUES ( 'OPPCIQWS', 'RIF', '70-6F-6C-00-00-00', '', '', 'Access-Reject', '', '2014-02-16 16:27:09', 'SRIFRADIUS')'
rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, realm, mac_address,ssid, access_point, reply, message, authdate, server) VALUES ( 'OPPCIQWS', 'RIF', '70-6F-6C-00-00-00', '', '', 'Access-Reject', '', '2014-02-16 16:27:09', 'SRIFRADIUS')'
rlm_sql (sql): Released connection (4)
Reply Message is empty in the last MYSQL INSERT
Thanks.
nicolas.clo@ricoh-industrie.fr wrote:
>
> Thanks Alan,
>
> I tested with this but it won't works in Post-Auth Reject section in
> inner-tunnel
> I can't update reply-Message called in default virtual server, it is empty.
> Actually, the only way that I have is to enable logging in the two
> virtual servers, but I have two lines in logs for 1 reject.
Set "use_tunneled_reply = yes"
The in the inner-tunnel post-auth section, do:
update reply {
Reply-Message := "... text ..."
}
That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html