ntlm_auth authentication results logging messages
James J J Hooper
jjj.hooper at bristol.ac.uk
Thu May 19 22:28:10 CEST 2011
On 19/05/2011 21:00, Garber, Neal wrote:
>> I found a similar user in an old thread who submitted a patch:
>> (http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure-
>> reasons-in-rlm-mschap-td2791760.html)
>> And it appears that this patch made it into the rlm_mschap.c module code:
>
> I submitted that patch and it was included in FR v1. Unfortunately,
> a change in v2 regressed this functionality. In v2, there's now an additional round trip, so the ntlm_auth results need to be saved - they
> are saved, in the current version, for success; but, not for failure.
> I submitted another patch for v2 last year that saves the ntlm_auth
> results for failures as well; but, it required rework (Alan wanted it
> split into two separate patches) and I haven't had a chance to rework
> it yet. Other, really nice mschap patches have been submitted
> since then (thank you Phil), so the rework, for me, is now a bit more.
Note that needing the results saved is probably because you want to do
something with the information in post-auth.
John, if you just want to log the information you can do something like
[in the inner-tunnel file]:
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 1
}
if (reject) {
linelog
reject
}
}
...
}
The linelog module (or any other module you want to use e.g. SQL) can log
to a file or syslog or somethingelse at this point. The information you
want will be in the %{Module-Failure-Message} and %{reply:MS-CHAP-Error}
attributes.
We use linelog extensively to syslog to a file and then have a webpage
that does the equivalent of tail the file and refresh routinely - very
easy for the help desk staff to see what is going on without needing to
ssh to anything.
-James
More information about the Freeradius-Users
mailing list