Module-Failure-Message when using PEAP or TTLS

Alan DeKok aland at
Mon Dec 8 16:37:05 CET 2014

On Dec 8, 2014, at 7:08 AM, Dean Goldhill <dgoldhill at> wrote:
> When using EAP PEAP or TTLS, if I try to write the ‘%{Module-Failure-Message}’ in the post-auth section to SQL, the value is blank when the reason is incorrect password.
> When using a non-tunnelled authentication protocol, it correctly displays ‘rlm_pap: CLEAR TEXT password check failed’

  In v3.0.5, you need to cache the Module-Failure-Message

- in inner-tunnel, post-auth-type Reject, do:

	update outer.session-state {
		Module-Failure-Message := &request:Module-Failure-Message

  And then in the “default” virtual server, post-auth section, you can use:


  Which says “use the saved message from the inner tunnel, but if that doesn’t exist, use the failure message from the outer session”.

> I think I know why this is happening,  because the rejection happens prior to the last message in the EAP sequence, so the value of the module-failure-message is no longer populated in the last message sent to the device, which is when the post-auth is done.


  Alan DeKok.

More information about the Freeradius-Users mailing list