module-failure-message in exec module

Franks Andy (RLZ) IT Systems Engineer Andy.Franks at
Fri Jun 7 14:46:32 CEST 2013

Ok, so the other questions stand, but an update to say the problem is
the variable is not coming back to the default VS from the inner tunnel
which I didn't at first spot. I had this problem recently and couldn't
work it out : 
how do we copy control attributes from the inner tunnel to the outer in
PEAP or is it not possible..?

-----Original Message-----
From: at
[ at lists.freeradiu] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:15
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module

  Ok so I've played about and can get a decent failure reply from a
script based solution. 
Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would
like to get a response when a failure occurs from them, but it seems
that Failure-Response-Message from the mschap isn't filled out. I've
done a test like :
Authenticate {
        Auth-Type MS-CHAP {
 	if (ok) {
  	else {
     	if (Module-Failure-Message) {
	     	update reply {
			reply-message += "Failed NTLM auth"
But the section never gets parsed - it goes straight to Post_auth reject
based on the mschap module itself returning code 1. So I put this in the
post_auth reject section :
if (Module-Failure-Message) {
        update reply {
                reply-message := "%{Module-Failure-Message}"
But Module-Failure-Message is empty;

++? if (Module-Failure-Message)
? Evaluating (Module-Failure-Message) -> FALSE
++? if (Module-Failure-Message) -> FALSE

Am I doing something wrong?
I also wondered if I could do something like use the mschap module with
a custom script, returning NT_KEY or a failure string, but then I've no
way to return the failure string because I assume the mschap module
doesn't let you populate variables based on the output like exec does -
there's no way of specifying output or input pairs for example.
I could ditch the mschap module completely, but then am not sure how I
would get all the mschap variables into a script and translate the
NT_KEY back. It seems a bit OTT just to get a failure response written
to the linelog/sql.
Any ideas?

-----Original Message-----
From: at
[ at lists.freeradiu] On Behalf Of Phil Mayers
Sent: 06 June 2013 17:48
To: freeradius-users at
Subject: Re: module-failure-message in exec module

On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote:
> Questions are - does the exec module return to the
> Module-Failure-Message variable or another I can use, and why doesn't

No, sorry. "mschap" does when it does the internal "exec", but the 
"exec" module does not. You might be able to emulate this by wrapping 
your script and echoing the VPs on stdout.

> it process the subsection of the auth-type section on failure?

That's the default return codes - see doc/configurable_failover{,.rst}

List info/subscribe/unsubscribe? See
List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list