Capturing ntlm_auth failure reasons in rlm_mschap

Garber, Neal Neal.Garber at
Fri Oct 13 07:05:03 CEST 2006

I would like ntlm_auth failure reasons more visible so our help desk can
assist users who are having trouble authenticating.  Currently, rlm_ldap
creates a request attribute called "Module-Failure-Message" on some
types of errors (e.g., user not found).  I created a small patch for
rlm_mschap that creates the same request attribute with the output from
ntlm_auth if authentication fails.  (Before someone asks how this lets
our help desk see the information, I have written a post-auth perl
script that captures this and other attributes and writes them to a
custom log file.  Our help desk then uses a viewer utility I wrote to
search/display the logs.)


I have a similar desire to capture SSL negotiation failure reasons in
our logs.  I have created another patch to capture these failures as
well although it is currently against FR 1.1.2.  If there's interest, I
can integrate this change to CVS head and submit it as well.


Below is the rlm_mschap patch for your review and comment.  This was
made against the CVS head I checked out on Oct. 12.


Thanks for your time and consideration.


--- src/modules/rlm_mschap/rlm_mschap.c.orig    Tue Oct  3 17:46:50 2006

+++ src/modules/rlm_mschap/rlm_mschap.c Thu Oct 12 15:32:04 2006

@@ -786,6 +786,9 @@

        } else {                /* run ntlm_auth */

                int     result;

                char    buffer[256];

+               VALUE_PAIR      *module_fmsg_vp;

+               char    module_fmsg[MAX_STRING_LEN];

+               int             module_fmsg_lastchr = 0;


                memset(nthashhash, 0, 16);


@@ -798,6 +801,13 @@

                                             NULL, NULL, 1);

                if (result != 0) {

                        DEBUG2("  rlm_mschap: External script failed.");

+                       snprintf(module_fmsg, sizeof(module_fmsg),
"rlm_mschap: %s", buffer);

+                       module_fmsg_lastchr = strlen(module_fmsg)-1;

+                       if (module_fmsg[module_fmsg_lastchr] = '\n') {

+                               module_fmsg[module_fmsg_lastchr] = '\0';

+                       }

+                       module_fmsg_vp =
pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);

+                       pairadd(&request->packet->vps, module_fmsg_vp);

                        return -1;



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list