On 07/06/13 13:15, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi, Ok so I've played about and can get a decent failure reply from a script based solution. Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would like to get a response when a failure occurs from them, but it seems that Failure-Response-Message from the mschap isn't filled out. I've done a test like : Authenticate { .. Auth-Type MS-CHAP { mschap if (ok) { # } else { if (Module-Failure-Message) { update reply { reply-message += "Failed NTLM auth" } reject } } But the section never gets parsed - it goes straight to Post_auth reject based on the mschap module itself returning code 1.
Yes. As I said, you'll need to override the default module return actions, which are "return immediately" in the "authenticate" section for everything other than fail/invalid/noop/updated. Something like: authenticate { Auth-Type MS-CHAP { mschap { reject = 1 ok = 1 } if (!ok) { ... } } }
But Module-Failure-Message is empty;
As has been suggested, be careful about which post-auth is running (inner or outer). FreeRADIUS < 2.2.0 doesn't run post-auth reject for PEAP inner tunnel.
++? if (Module-Failure-Message) ? Evaluating (Module-Failure-Message) -> FALSE ++? if (Module-Failure-Message) -> FALSE
Am I doing something wrong? I also wondered if I could do something like use the mschap module with a custom script, returning NT_KEY or a failure string, but then I've no way to return the failure string because I assume the mschap module doesn't let you populate variables based on the output like exec does - there's no way of specifying output or input pairs for example. I could ditch the mschap module completely, but then am not sure how I would get all the mschap variables into a script and translate the NT_KEY back. It seems a bit OTT just to get a failure response written to the linelog/sql.
Now I'm confused. If you're doing mschap, just run the mschap module. It *will* populate the Module-Failure-Message attribute if ntlm_auth fails - you don't need to handle that yourself. If you're doing exec (i.e. checking PAP via ntlm_auth) then you don't need to return NT_KEY. If you're trying to do mschap via exec, you're doing it wrong. Don't do that. Most likely your problem is that you're getting confused by the inner-tunnel post-auth reject not running for PEAP in 2.1.x.