module-failure-message in exec module

Fri Jun 7 15:37:42 CEST 2013

On 07/06/13 13:15, Franks Andy (RLZ) IT Systems Engineer wrote:
> Hi,
>    Ok so I've played about and can get a decent failure reply from a
> script based solution.
> Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would
> like to get a response when a failure occurs from them, but it seems
> that Failure-Response-Message from the mschap isn't filled out. I've
> done a test like :
> Authenticate {
> ..
>          Auth-Type MS-CHAP {
>                  mschap
>   	if (ok) {
>      	#
>    	}
>    	else {
>       	if (Module-Failure-Message) {
> 	     	update reply {
> 			reply-message += "Failed NTLM auth"
> 		}
> 		reject
>      		}
>    	}
> But the section never gets parsed - it goes straight to Post_auth reject
> based on the mschap module itself returning code 1.

Yes. As I said, you'll need to override the default module return 
actions, which are "return immediately" in the "authenticate" section 
for everything other than fail/invalid/noop/updated. Something like:

authenticate {
   Auth-Type MS-CHAP {
     mschap {
       reject = 1
       ok = 1
     }
     if (!ok) {
       ...
     }
   }
}

> But Module-Failure-Message is empty;

As has been suggested, be careful about which post-auth is running 
(inner or outer). FreeRADIUS < 2.2.0 doesn't run post-auth reject for 
PEAP inner tunnel.

>
> ++? if (Module-Failure-Message)
> ? Evaluating (Module-Failure-Message) -> FALSE
> ++? if (Module-Failure-Message) -> FALSE
>
> Am I doing something wrong?
> I also wondered if I could do something like use the mschap module with
> a custom script, returning NT_KEY or a failure string, but then I've no
> way to return the failure string because I assume the mschap module
> doesn't let you populate variables based on the output like exec does -
> there's no way of specifying output or input pairs for example.
> I could ditch the mschap module completely, but then am not sure how I
> would get all the mschap variables into a script and translate the
> NT_KEY back. It seems a bit OTT just to get a failure response written
> to the linelog/sql.

Now I'm confused.

If you're doing mschap, just run the mschap module. It *will* populate 
the Module-Failure-Message attribute if ntlm_auth fails - you don't need 
to handle that yourself.

If you're doing exec (i.e. checking PAP via ntlm_auth) then you don't 
need to return NT_KEY.

If you're trying to do mschap via exec, you're doing it wrong. Don't do 
that.

Most likely your problem is that you're getting confused by the 
inner-tunnel post-auth reject not running for PEAP in 2.1.x.