On 19/05/2011 21:00, Garber, Neal wrote:
I found a similar user in an old thread who submitted a patch:
(http://freeradius.1045715.n5.nabble.com/Capturing-ntlm-auth-failure-
reasons-in-rlm-mschap-td2791760.html)
And it appears that this patch made it into the rlm_mschap.c module code:
I submitted that patch and it was included in FR v1. Unfortunately,
a change in v2 regressed this functionality. In v2, there's now an additional
round trip, so the ntlm_auth results need to be saved - they
are saved, in the current version, for success; but, not for failure.
I submitted another patch for v2 last year that saves the ntlm_auth
results for failures as well; but, it required rework (Alan wanted it
split into two separate patches) and I haven't had a chance to rework
it yet. Other, really nice mschap patches have been submitted
since then (thank you Phil), so the rework, for me, is now a bit more.
Note that needing the results saved is probably because you want to do
something with the information in post-auth.
John, if you just want to log the information you can do something like
[in the inner-tunnel file]:
authenticate {
Auth-Type MS-CHAP {
mschap {
reject = 1
}
if (reject) {
linelog
reject
}
}
...
}
The linelog module (or any other module you want to use e.g. SQL) can log
to a file or syslog or somethingelse at this point. The information you
want will be in the %{Module-Failure-Message} and %{reply:MS-CHAP-Error}
attributes.
We use linelog extensively to syslog to a file and then have a webpage
that does the equivalent of tail the file and refresh routinely - very
easy for the help desk staff to see what is going on without needing to
ssh to anything.
-James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html