module-failure-message in exec module

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at
Fri Jun 7 14:15:19 CEST 2013

  Ok so I've played about and can get a decent failure reply from a
script based solution. 
Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would
like to get a response when a failure occurs from them, but it seems
that Failure-Response-Message from the mschap isn't filled out. I've
done a test like :
Authenticate {
        Auth-Type MS-CHAP {
 	if (ok) {
  	else {
     	if (Module-Failure-Message) {
	     	update reply {
			reply-message += "Failed NTLM auth"
But the section never gets parsed - it goes straight to Post_auth reject
based on the mschap module itself returning code 1. So I put this in the
post_auth reject section :
if (Module-Failure-Message) {
        update reply {
                reply-message := "%{Module-Failure-Message}"
But Module-Failure-Message is empty;

++? if (Module-Failure-Message)
? Evaluating (Module-Failure-Message) -> FALSE
++? if (Module-Failure-Message) -> FALSE

Am I doing something wrong?
I also wondered if I could do something like use the mschap module with
a custom script, returning NT_KEY or a failure string, but then I've no
way to return the failure string because I assume the mschap module
doesn't let you populate variables based on the output like exec does -
there's no way of specifying output or input pairs for example.
I could ditch the mschap module completely, but then am not sure how I
would get all the mschap variables into a script and translate the
NT_KEY back. It seems a bit OTT just to get a failure response written
to the linelog/sql.
Any ideas?

-----Original Message-----
From: at
[ at lists.freeradiu] On Behalf Of Phil Mayers
Sent: 06 June 2013 17:48
To: freeradius-users at
Subject: Re: module-failure-message in exec module

On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote:
> Questions are - does the exec module return to the
> Module-Failure-Message variable or another I can use, and why doesn't

No, sorry. "mschap" does when it does the internal "exec", but the 
"exec" module does not. You might be able to emulate this by wrapping 
your script and echoing the VPs on stdout.

> it process the subsection of the auth-type section on failure?

That's the default return codes - see doc/configurable_failover{,.rst}

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list