linelog and rlm_eap

Kolbjørn Barmen kolbjorn.barmen at
Fri Mar 11 11:42:30 CET 2011

On Fri, 11 Mar 2011, Alan DeKok wrote:

> Kolbjørn Barmen wrote:
> > What I meant to ask for, is some way of having more usefull information
> > from failed logins. Today we're using ldap backend, and the only error
> > message that comes in the log is "rlm_ldap: User not found", regardless
> > of what the real cause is.
>   There may be *multiple* "real causes".  Which ones do you want?

I cannot remember to have seen multiple causes in play at once, but if
that is the case, why not all of them? What I typically see is only one
issue being the cause of a Reject. Of course there may be more, so that
if you sort out one issue, it will just fail at the next one. But for
any given attempt to authenticate, there is only one. Right?

> > Typically the only way I have found today is
> > to run debugging and read through the entire session to see what the
> > output from the various rlm_eap_*-modules is. Would be excellent if one
> > could use linelog to create a log of how the eap-negotiation progresses
> > for every login.
>   As always, patches are welcome.
>   The EAP module will have to export an attribute describing it's
> current state.  This will likely have to be done for every EAP sub-type,
> too.

Aha, so linelog can only deal with attributes? Then I suppose the answer
to my original question is just "no". That's ok, I just wanted a clear
answer before I attemped to do something that would not work anyways.

It would be nice if there was a way for a module to pass on error messages,
if any, from "child" module instead of just printing its own, so that if a
user is rejected due to wrong password for mschapv2, the error message
from the rlm_eap_mschapv2 module would be printed instead of that from
rlm_ldap, for example. Just wishfull thinking.

Kolbjørn Barmen
UNINETT Driftsenter

More information about the Freeradius-Users mailing list