wrong password failures not logged

[Stefano Zanmarchi]

Thank you very much for the tip, it's working fine.
Module-Failure-Message does the job, "mschap: MS-CHAP2-Response is
incorrect" gets now logged.
Just in case someone faces the same problem:

In the inner-tunnel:

Auth-Type EAP {
 eap {
 handled = 1
}
if (Module-Failure-Message) {
 eap_problem
}
  handled
}

With  eap_problem defined at the end of .../mods-enabled/linelog:
linelog eap_problem {
        filename = syslog
        syslog_facility = daemon
        format = "EAP problem, (%{Module-Failure-Message}) [%{User-Name}]
(from %{client:shortname} cli %{Calling-Station-Id})"
}





On Thu, Mar 31, 2016 at 10:49 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Mar 31, 2016, at 12:10 PM, Stefano Zanmarchi <zanmarchi at gmail.com>
> wrote:
> > I should have put my question in a more explicit but maybe less polite
> way.
> > Let me do it now.
>
>   Technical content is what we're looking for.
>
> > Having read the debugging output, and having performed the same test with
> > freeradius 2 and freeradius 3, I have come to the conclusion that
> > freeradius 3 detects mschap failures but does not always log the event,
> > whereas freeradius 2 does. Why that?
>
>   Arran's response explains this.  But also.. you can run the server in
> debug mode to see what it does in v2, and what it does in v3.  Compare them
> to see the differences.
>
> > Not having the failure event logged anymore is quite a nuisance because
> > when a user complains that the network isn't working I can't easily see
> > from the logs that it's just him typing the wrong password.
>
>   I understand.
>
> > It'd be very useful if freeradius could log the "mschap: ERROR:
> > MS-CHAP2-Response is incorrect" in the logs even when not run in debug
> mode.
>
>   It should generally log the failure of an inner-tunnel authentication.
> If it doesn't, that's probably an issue.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>