RE: module-failure-message in exec module

Fri, 07 Jun 2013 06:16:55 -0700 

Andy, 

You may want to try and set it in inner-tunnel's post-auth section:

if (Module-Failure-Message) {
        update outer.reply  {
                Module-Failure-Message := "%{Module-Failure-Message}"
        }
}

That way the response is copied to the outer reply.

With Regards

Stefan


-----Original Message-----
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org 
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
 On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:47
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module

Ok, so the other questions stand, but an update to say the problem is the 
variable is not coming back to the default VS from the inner tunnel which I 
didn't at first spot. I had this problem recently and couldn't work it out : 
how do we copy control attributes from the inner tunnel to the outer in PEAP or 
is it not possible..?
Thanks
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:15
To: FreeRadius users mailing list
Subject: RE: module-failure-message in exec module

Hi,
  Ok so I've played about and can get a decent failure reply from a script 
based solution. 
Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would like to 
get a response when a failure occurs from them, but it seems that 
Failure-Response-Message from the mschap isn't filled out. I've done a test 
like :
Authenticate {
..
        Auth-Type MS-CHAP {
                mschap
        if (ok) {
        #
        }
        else {
        if (Module-Failure-Message) {
                update reply {
                        reply-message += "Failed NTLM auth"
                }
                reject
                }
        }
But the section never gets parsed - it goes straight to Post_auth reject based 
on the mschap module itself returning code 1. So I put this in the post_auth 
reject section :
if (Module-Failure-Message) {
        update reply {
                reply-message := "%{Module-Failure-Message}"
                }
        }
But Module-Failure-Message is empty;

++? if (Module-Failure-Message)
? Evaluating (Module-Failure-Message) -> FALSE
++? if (Module-Failure-Message) -> FALSE

Am I doing something wrong?
I also wondered if I could do something like use the mschap module with a 
custom script, returning NT_KEY or a failure string, but then I've no way to 
return the failure string because I assume the mschap module doesn't let you 
populate variables based on the output like exec does - there's no way of 
specifying output or input pairs for example.
I could ditch the mschap module completely, but then am not sure how I would 
get all the mschap variables into a script and translate the NT_KEY back. It 
seems a bit OTT just to get a failure response written to the linelog/sql.
Any ideas?
Thanks
Andy

-----Original Message-----
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 06 June 2013 17:48
To: freeradius-users@lists.freeradius.org
Subject: Re: module-failure-message in exec module

On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote:
> Questions are - does the exec module return to the 
> Module-Failure-Message variable or another I can use, and why doesn't

No, sorry. "mschap" does when it does the internal "exec", but the "exec" 
module does not. You might be able to emulate this by wrapping your script and 
echoing the VPs on stdout.

> it process the subsection of the auth-type section on failure?
>

That's the default return codes - see doc/configurable_failover{,.rst}


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
This e-mail and any attachments may contain confidential, copyright and or 
privileged material, and are for the use of the intended addressee only. If you 
are not the intended addressee or an authorised recipient of the addressee 
please notify us of receipt by returning the e-mail and do not use, copy, 
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not 
necessarily of Diamond Light Source Ltd. 
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments 
are free from viruses and we cannot accept liability for any damage which you 
may sustain as a result of software viruses which may be transmitted in or with 
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and 
Wales with its registered office at Diamond House, Harwell Science and 
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to