Hi all,

  Trying to use the provided ntlm_auth exec module to authenticate users where the NAS uses pap, which works fine. I just want to improve my error reporting and pick up the return string from the failure of the module, .e.g –

Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Looking around on the internet it seems I might use something like:

Auth-Type NTLM_AUTH {

                ntlm_auth

               if (ok) {

               }

               else {

                update reply {

                        reply-message += "%{Module-Failure-Message}"

                        }

               }

        }

But the else statement never seems to get processed :

Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a)

[ntlm_auth] Exec: program returned: 1

++[ntlm_auth] returns reject

Using Post-Auth-Type REJECT

# Executing group from file /usr/local/etc/raddb/sites-enabled/default

+- entering group REJECT {...}

Questions are – does the exec module return to the Module-Failure-Message variable or another I can use, and why doesn’t it process the subsection of the auth-type section on failure?

Thanks

Andy