Alan DeKok wrote:
Just put a statement into the eduroam_idpi_inner virtual server. You will need to to catch the "handled" return code from the EAP module. That code says to stop processing the section, and retune.
So..
server eduroam_idpi_inner { ... authenticate { ...
Auth-Type EAP { eap { handled = 1 # don't return right away }
if (reply:MS-CHAP-Error) { # do logging of MS-CHAP-Error }
handled # which is what EAP tried to return above. }
}
That worked splendidly, thank you. Though it turned out the attribute populated was request:Module-Failure-Message.
For password changes there is code to use the text returned from ntlm_auth instead, but locked or disabled accounts just end up sending 691/"Authentication failed" instead of the actual error. So I quick-hacked the C code to pass on the code/message for locks and disables.
Do you have a patch?
The next time I do a pull I'll try to clean what I have up into something presentable. Thanks again.