Logging mschap error when send_error=yes
Alan DeKok
aland at deployingradius.com
Mon Nov 2 19:38:56 CET 2015
On Nov 2, 2015, at 1:12 PM, Brian Julin <BJulin at clarku.edu> wrote:
> Currently I'm configuring new servers for an eventual 3.0.x migration,
> and decided to take a look at password-change. I have not got that far yet,
> just as far as playing around with the server behavior when EAP-MCHAPv2 is set
> to send_error = yes, which is a prerequisite for that. As soon as this is turned on
> we seem to lose the ability to log the exact error code returned by ntlm_auth, and
> this is actually one of the more critical log messages we need to detect locked
> accounts.
>
> With send_error=yes the flow out of the inner tunnel after a bad ntlm auth is as follows:
...
> ... and there seems to be pretty much no toehold by which to get an unlang statement
> into that to store or log MSCHAP-Error or Module-Failure-Message.
Just put a statement into the eduroam_idpi_inner virtual server. You will need to to catch the "handled" return code from the EAP module. That code says to stop processing the section, and retune.
So..
server eduroam_idpi_inner {
...
authenticate {
...
Auth-Type EAP {
eap {
handled = 1 # don't return right away
}
if (reply:MS-CHAP-Error) {
# do logging of MS-CHAP-Error
}
handled # which is what EAP tried to return above.
}
}
> The second thing is that, since the failure seems to promulgate down to the EAP layer in
> a different fashion (a new challenge seems to always be issued and the failure delayed
> until later packets, even when retries are not allowed) the normal logs get filled with
> the usual "The users session was previously rejected" stanza, which in this particular
> case is not very helpful since there's not much to read above them (and it's a lot of syslog
> bulk for a common logon failure.)
That message was changed to be a debug-only message. It's available now in the v3.0.x branch in git, or wait for 3.0.1..
> The third thing is, while looking further into this I noticed the current code for dealing
> with locked accounts appears to be entirely based off SMB-Account-CTRL, which does not
> seem to exist when authing against an actual AD server rather than a local Samba setup.
OK.
> For password changes there is code to use the text returned from ntlm_auth instead, but locked
> or disabled accounts just end up sending 691/"Authentication failed" instead
> of the actual error. So I quick-hacked the C code to pass on the code/message for
> locks and disables.
Do you have a patch?
> Second question: is there any particular reason why the code is the way it is, or is
> it just a not-implemented-yet situation?
Not done yet.
As always, patches are welcome.
Alan DeKok.
More information about the Freeradius-Users
mailing list