module-failure-message in exec module

Fri Jun 7 15:05:57 CEST 2013

Andy, 

You may want to try and set it in inner-tunnel's post-auth section:

if (Module-Failure-Message) {
	update outer.reply  {
		Module-Failure-Message := "%{Module-Failure-Message}"
	}
}

That way the response is copied to the outer reply.

With Regards

Stefan

-----Original Message-----
From: freeradius-users-bounces+stefan.paetow=diamond.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac.uk at lists.freeradius.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:47
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module

Ok, so the other questions stand, but an update to say the problem is the variable is not coming back to the default VS from the inner tunnel which I didn't at first spot. I had this problem recently and couldn't work it out : 
how do we copy control attributes from the inner tunnel to the outer in PEAP or is it not possible..?
Thanks
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:15
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module

Hi,
  Ok so I've played about and can get a decent failure reply from a script based solution. 
Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would like to get a response when a failure occurs from them, but it seems that Failure-Response-Message from the mschap isn't filled out. I've done a test like :
Authenticate {
..
        Auth-Type MS-CHAP {
                mschap
 	if (ok) {
    	#
  	}
  	else {
     	if (Module-Failure-Message) {
	     	update reply {
			reply-message += "Failed NTLM auth"
		}
		reject
    		}
  	}
But the section never gets parsed - it goes straight to Post_auth reject based on the mschap module itself returning code 1. So I put this in the post_auth reject section :
if (Module-Failure-Message) {
        update reply {
                reply-message := "%{Module-Failure-Message}"
                }
        }
But Module-Failure-Message is empty;

++? if (Module-Failure-Message)
? Evaluating (Module-Failure-Message) -> FALSE
++? if (Module-Failure-Message) -> FALSE

Am I doing something wrong?
I also wondered if I could do something like use the mschap module with a custom script, returning NT_KEY or a failure string, but then I've no way to return the failure string because I assume the mschap module doesn't let you populate variables based on the output like exec does - there's no way of specifying output or input pairs for example.
I could ditch the mschap module completely, but then am not sure how I would get all the mschap variables into a script and translate the NT_KEY back. It seems a bit OTT just to get a failure response written to the linelog/sql.
Any ideas?
Thanks
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk at lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 06 June 2013 17:48
To: freeradius-users at lists.freeradius.org
Subject: Re: module-failure-message in exec module

On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote:
> Questions are - does the exec module return to the 
> Module-Failure-Message variable or another I can use, and why doesn't

No, sorry. "mschap" does when it does the internal "exec", but the "exec" module does not. You might be able to emulate this by wrapping your script and echoing the VPs on stdout.

> it process the subsection of the auth-type section on failure?
>

That's the default return codes - see doc/configurable_failover{,.rst}

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom