Hi all, Trying to use the provided ntlm_auth exec module to authenticate users where the NAS uses pap, which works fine. I just want to improve my error reporting and pick up the return string from the failure of the module, .e.g - Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Looking around on the internet it seems I might use something like: Auth-Type NTLM_AUTH { ntlm_auth if (ok) { } else { update reply { reply-message += "%{Module-Failure-Message}" } } } But the else statement never seems to get processed : Exec output: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) Exec plaintext: NT_STATUS_WRONG_PASSWORD: Wrong Password (0xc000006a) [ntlm_auth] Exec: program returned: 1 ++[ntlm_auth] returns reject Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} Questions are - does the exec module return to the Module-Failure-Message variable or another I can use, and why doesn't it process the subsection of the auth-type section on failure? Thanks Andy
On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote:
Questions are – does the exec module return to the Module-Failure-Message variable or another I can use, and why doesn’t
No, sorry. "mschap" does when it does the internal "exec", but the "exec" module does not. You might be able to emulate this by wrapping your script and echoing the VPs on stdout.
it process the subsection of the auth-type section on failure?
That's the default return codes - see doc/configurable_failover{,.rst}
participants (2)
-
Franks Andy (RLZ) IT Systems Engineer -
Phil Mayers