Logging mschap error when send_error=yes
Brian Julin
BJulin at clarku.edu
Mon Nov 2 20:15:39 CET 2015
Alan DeKok wrote:
> Just put a statement into the eduroam_idpi_inner virtual server. You will
> need to to catch the "handled" return code from the EAP module. That code
> says to stop processing the section, and retune.
>
> So..
>
> server eduroam_idpi_inner {
> ...
> authenticate {
> ...
>
> Auth-Type EAP {
> eap {
> handled = 1 # don't return right away
> }
>
> if (reply:MS-CHAP-Error) {
> # do logging of MS-CHAP-Error
> }
>
> handled # which is what EAP tried to return above.
> }
>
> }
That worked splendidly, thank you. Though it turned out the attribute
populated was request:Module-Failure-Message.
> > For password changes there is code to use the text returned from
> ntlm_auth instead, but locked
> > or disabled accounts just end up sending 691/"Authentication failed"
> instead
> > of the actual error. So I quick-hacked the C code to pass on the
> code/message for
> > locks and disables.
>
> Do you have a patch?
The next time I do a pull I'll try to clean what I have up into something presentable.
Thanks again.
More information about the Freeradius-Users
mailing list