How to retain Module-Failure-Message from inner-tunnel when using PEAP

Peter Steadman psteadman at
Thu Jan 3 15:36:49 CET 2019

I am struggling to extract the inner-tunnel reject message to linelog and
should be grateful for some help please.
Instead of getting;

  Module-Failure-Message := "Rejected: User-Name contains whitespace"

the cached message it is being replaced in the final eap exchange by;

 The users session was previously rejected: returning reject (again.)

I did find this post;
 which is exactly my issue helpfully with a solution, but unfortunately I
seem to be struggling to apply the solution.

 - in inner-tunnel, post-auth-type Reject, do:

update outer.session-state {
Module-Failure-Message := &request:Module-Failure-Message

This seems to work ok but when I try applying the second part;

  And then in the “default” virtual server, post-auth section, you can use:


I just get the error "Missing attribute value" when trying to start the
server which leads me to suspect that I am not putting this in right place
or formatting it incorrectly.
Could someone please give me an example of this
in the context of the post-auth section.
many thanks



College Email 

This message and any files transmitted with it is intended for 
the addressee only and may contain information that is confidential or 

Unauthorised use is strictly prohibited and may be unlawful. 
If you are not the addressee, you should not read, copy, disclose or 
otherwise use this message, otherwise than to notify the College via 
postmaster at <mailto:postmaster at>. You should 
delete this message and any files transmitted with it from your computer 
and destroy any copies made. 

Warwickshire College gives no warranty or 
representation as to the accuracy or reliability of the message and files 
and does not necessarily endorse any opinions expressed within it.

More information about the Freeradius-Users mailing list