how to get this logentry correct

Sun Jul 17 21:09:56 CEST 2011

Hey all, ive set up a radius daemon to verify OTPs. It's all working just fine, except for the log entries on failure to give the correct OTP.  Here is the virtual server ive set up:

server oath {
        client XXXXXXXX {
                secret  = XXXXXXXXXX
                shortname = oath
        }

        listen {
                type = auth
                ipaddr = *
                port = 4000
        }

        listen {
                type = acct
                ipaddr = *
                port = 4001
        }

        authorize {
                preprocess

                if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) {
                  update control {
                    Auth-Type := Reject
                  }
                }
                else {
                        files
                }
        }

        accounting {
                radutmp
                exec
        }

        post-auth {
                exec
        }
}

The actual OTP script is run from the users file, as per the directions of the script author.

DEFAULT Auth-Type = Accept
        Exec-Program-Wait = "/usr/sbin/multiotp -log %{User-Name} %{User-Password}",
        Reply-Message = "Hello, %{User-Name}"

This works fine. If I give the correct pin+OTP I can login, and wrong one I cant. Freeradius -X on wrong OTP says:

server oath {
# Executing section authorize from file /etc/freeradius/sites-enabled/oath
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/))
	expand: %{request:User-Password} -> 1234383980
?? Evaluating ("%{request:User-Password}" =~ /^[0-9]{10,10}$/) -> TRUE
? Converting !TRUE -> FALSE
++? if (!("%{request:User-Password}" =~ /^[0-9]{10,10}$/)) -> FALSE
++- entering else else {...}
[files] users: Matched entry DEFAULT at line 203
[files] 	expand: /usr/sbin/multiotp -log %{User-Name} %{User-Password} -> /usr/sbin/multiotp -log cor XXXXXXXX
[files] 	expand: Hello, %{User-Name} -> Hello, cor
+++[files] returns ok
++- else else returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
Login OK: [cor] (from client oath port 10)
# Executing section post-auth from file /etc/freeradius/sites-enabled/oath
+- entering group post-auth {...}
Exec-Program output: 
Exec-Program: returned: 26
[exec] Login incorrect (external check said so)
++[exec] returns reject
} # server oath
Sending Access-Reject of id 151 to 194.109.42.42 port 42619
	Reply-Message = "Hello, cor"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 151 with timestamp +6

Im using 'exec' in post-auth to use the return code of the script to reject the login. I dont know of another way to do this. Unfortunately this does mean that im seeing this in syslog:

Jul 17 20:55:58 otpauth1 freeradius[24891]: Login OK: [cor] (from client oath port 10)

Is there a way to have freeradius properly give a login rejected msg in syslog?

Regards,

Cor