How to retain Module-Failure-Message from inner-tunnel when using PEAP
Alan DeKok
aland at deployingradius.com
Fri Jan 4 20:06:34 CET 2019
On Jan 3, 2019, at 9:36 AM, Peter Steadman <psteadman at warwickshire.ac.uk> wrote:
>
> Hello
> I am struggling to extract the inner-tunnel reject message to linelog and
> should be grateful for some help please.
> Instead of getting;
>
> Module-Failure-Message := "Rejected: User-Name contains whitespace"
>
> the cached message it is being replaced in the final eap exchange by;
>
> The users session was previously rejected: returning reject (again.)
>
> I did find this post;
> http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.html
> which is exactly my issue helpfully with a solution, but unfortunately I
> seem to be struggling to apply the solution.
OK...
> - in inner-tunnel, post-auth-type Reject, do:
>
> update outer.session-state {
> Module-Failure-Message := &request:Module-Failure-Message
> }
That copies the inner Module-Failure-Message attribute to the outer session-state list.
> This seems to work ok but when I try applying the second part;
>
> And then in the “default” virtual server, post-auth section, you can use:
>
> %{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}
>
> I just get the error "Missing attribute value" when trying to start the
> server which leads me to suspect that I am not putting this in right place
> or formatting it incorrectly.
You can't just put random strings into the config and expect them to work.
> Could someone please give me an example of this
> "%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}"
> in the context of the post-auth section.
You can't put a string expansion into the post-auth section. You MUST assign the string expansion to an attribute, OR just use the string expansion in an existing string...
i.e. edit the linelog module config. You will see that the "messages" section contain string expansions like %{User-Name}. You can then put the Module-Failure-Message expansion there.
And please also read "man unlang" to see the format of the configuration files, and how the string expansions work. This is all documented.
Alan DEKok.
More information about the Freeradius-Users
mailing list