Module-Failure-Message when using PEAP or TTLS

[Dean Goldhill]

Hello,

I am sorry that I didn't mentioned that I am running FR 2, not 3.

When I try your example, I get a startup error:
Module: Checking post-auth {...} for more modules to load
/etc/raddb/sites-enabled/inner-tunnel[303]: Unknown attribute list "outer.session-state"
/etc/raddb/sites-enabled/inner-tunnel[303]: Failed to parse "update" subsection.


I assume this only works in version 3?


-----Original Message-----
From: freeradius-users-bounces+dgoldhill=netutils.com at lists.freeradius.org [mailto:freeradius-users-bounces+dgoldhill=netutils.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 08 December 2014 15:37
To: FreeRadius users mailing list
Subject: Re: Module-Failure-Message when using PEAP or TTLS

On Dec 8, 2014, at 7:08 AM, Dean Goldhill <dgoldhill at netutils.com> wrote:
> When using EAP PEAP or TTLS, if I try to write the '%{Module-Failure-Message}' in the post-auth section to SQL, the value is blank when the reason is incorrect password.
> When using a non-tunnelled authentication protocol, it correctly displays 'rlm_pap: CLEAR TEXT password check failed'

  In v3.0.5, you need to cache the Module-Failure-Message

- in inner-tunnel, post-auth-type Reject, do:

	update outer.session-state {
		Module-Failure-Message := &request:Module-Failure-Message
	}

  And then in the "default" virtual server, post-auth section, you can use:

	%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}

  Which says "use the saved message from the inner tunnel, but if that doesn't exist, use the failure message from the outer session".

> I think I know why this is happening,  because the rejection happens prior to the last message in the EAP sequence, so the value of the module-failure-message is no longer populated in the last message sent to the device, which is when the post-auth is done.

  Yes.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html