wrong password failures not logged

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Mar 31 19:38:32 CEST 2016


> On 31 Mar 2016, at 10:10, Stefano Zanmarchi <zanmarchi at gmail.com> wrote:
> 
> Hello Alan,
> I should have put my question in a more explicit but maybe less polite way.
> Let me do it now.
> Having read the debugging output, and having performed the same test with
> freeradius 2 and freeradius 3, I have come to the conclusion that
> freeradius 3 detects mschap failures but does not always log the event,
> whereas freeradius 2 does. Why that?

Because that is not a global error.

FreeRADIUS 3 only logs global errors to its main log.  Much of the code has been cleaned up to properly categorise errors, which is why you may no longer see some request specific errors that appeared in the global log of FreeRADIUS 2.

During request processing FreeRADIUS 3 creates a 'stack' of errors that occurred.  This stack is created by adding multiple instances of the Module-Failure-Message attribute to the request list.

Every time an REDEBUG* or RERROR macro is called in the code a new instance of the Module-Failure-Message attribute is created.  If you see the error in the debug output, it will be available on the error stack.

Request errors may be concatenated using the %{Module-Failure-Message[*]} expansion, which can be added either to a rlm_linelog instance or the auth success/failure messages in radiusd.conf.

This is significantly more flexible and useful than dumping everything uncategorised to the global log.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160331/8f4dc33a/attachment.sig>


More information about the Freeradius-Users mailing list