Capturing Access-Reject data in the radpostauth table

Alan DeKok aland at
Thu Apr 29 08:02:56 CEST 2010

Aaron Paetznick wrote:
> I'm sorry, your explanation wasn't clear to me.  How can I expose
> Module-Failure-Message to or reference Module-Failure-Message within
> rlm_sql?
> This, also, didn't work for me:
> post-auth {
>     ...
>         Post-Auth-Type REJECT {
>                 update reply {
>                         Reply-Message += "You got:
> %{Module-Failure-Message}"
>                 }

  OK... if the Module-Failure-Message doesn't exist, it won't work.

  But the log message *uses* it:

Login incorrect (rlm_pap: CLEAR TEXT password check failed) ..

  The text between the () *is* the Module-Failure-Message attribute.
See src/main/auth.c.

  So we know it exists, the previous log message you posted shows it.
And the server core doesn't delete it, so it *should* always exist after
the PAP module creates it.

  Alan DeKok.

More information about the Freeradius-Users mailing list