Module-Failure-Message when using PEAP or TTLS
Dean Goldhill
dgoldhill at netutils.com
Tue Dec 9 11:48:42 CET 2014
Hello,
I am sorry that I didn't mentioned that I am running FR 2, not 3.
When I try your example, I get a startup error:
Module: Checking post-auth {...} for more modules to load
/etc/raddb/sites-enabled/inner-tunnel[303]: Unknown attribute list "outer.session-state"
/etc/raddb/sites-enabled/inner-tunnel[303]: Failed to parse "update" subsection.
I assume this only works in version 3?
-----Original Message-----
From: freeradius-users-bounces+dgoldhill=netutils.com at lists.freeradius.org [mailto:freeradius-users-bounces+dgoldhill=netutils.com at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 08 December 2014 15:37
To: FreeRadius users mailing list
Subject: Re: Module-Failure-Message when using PEAP or TTLS
On Dec 8, 2014, at 7:08 AM, Dean Goldhill <dgoldhill at netutils.com> wrote:
> When using EAP PEAP or TTLS, if I try to write the '%{Module-Failure-Message}' in the post-auth section to SQL, the value is blank when the reason is incorrect password.
> When using a non-tunnelled authentication protocol, it correctly displays 'rlm_pap: CLEAR TEXT password check failed'
In v3.0.5, you need to cache the Module-Failure-Message
- in inner-tunnel, post-auth-type Reject, do:
update outer.session-state {
Module-Failure-Message := &request:Module-Failure-Message
}
And then in the "default" virtual server, post-auth section, you can use:
%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}
Which says "use the saved message from the inner tunnel, but if that doesn't exist, use the failure message from the outer session".
> I think I know why this is happening, because the rejection happens prior to the last message in the EAP sequence, so the value of the module-failure-message is no longer populated in the last message sent to the device, which is when the post-auth is done.
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list