wrong password failures not logged

Alan DeKok aland at deployingradius.com
Thu Mar 31 22:49:24 CEST 2016


On Mar 31, 2016, at 12:10 PM, Stefano Zanmarchi <zanmarchi at gmail.com> wrote:
> I should have put my question in a more explicit but maybe less polite way.
> Let me do it now.

  Technical content is what we're looking for.

> Having read the debugging output, and having performed the same test with
> freeradius 2 and freeradius 3, I have come to the conclusion that
> freeradius 3 detects mschap failures but does not always log the event,
> whereas freeradius 2 does. Why that?

  Arran's response explains this.  But also.. you can run the server in debug mode to see what it does in v2, and what it does in v3.  Compare them to see the differences.

> Not having the failure event logged anymore is quite a nuisance because
> when a user complains that the network isn't working I can't easily see
> from the logs that it's just him typing the wrong password.

  I understand.

> It'd be very useful if freeradius could log the "mschap: ERROR:
> MS-CHAP2-Response is incorrect" in the logs even when not run in debug mode.

  It should generally log the failure of an inner-tunnel authentication.  If it doesn't, that's probably an issue.

  Alan DeKok.




More information about the Freeradius-Users mailing list