How to retain Module-Failure-Message from inner-tunnel when using PEAP

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

How to retain Module-Failure-Message from inner-tunnel when using PEAP

Peter Steadman
Hello
I am struggling to extract the inner-tunnel reject message to linelog and
should be grateful for some help please.
Instead of getting;

  Module-Failure-Message := "Rejected: User-Name contains whitespace"

the cached message it is being replaced in the final eap exchange by;

 The users session was previously rejected: returning reject (again.)

I did find this post;
http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.html
 which is exactly my issue helpfully with a solution, but unfortunately I
seem to be struggling to apply the solution.

 - in inner-tunnel, post-auth-type Reject, do:

update outer.session-state {
Module-Failure-Message := &request:Module-Failure-Message
}


This seems to work ok but when I try applying the second part;

  And then in the “default” virtual server, post-auth section, you can use:

%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}

I just get the error "Missing attribute value" when trying to start the
server which leads me to suspect that I am not putting this in right place
or formatting it incorrectly.
Could someone please give me an example of this
"%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}"
in the context of the post-auth section.
many thanks
Pete

--











 <https://twitter.com/warwickshirecol>  
<https://www.facebook.com/WarwickshireCollege>  
<https://www.linkedin.com/edu/warwickshire-college-group-355076
<https://www.instagram.com/warwickshirecol/>










College Email
Disclaimer


This message and any files transmitted with it is intended for
the addressee only and may contain information that is confidential or
privileged.


Unauthorised use is strictly prohibited and may be unlawful.
If you are not the addressee, you should not read, copy, disclose or
otherwise use this message, otherwise than to notify the College via
[hidden email] <mailto:[hidden email]>. You should
delete this message and any files transmitted with it from your computer
and destroy any copies made.


Warwickshire College gives no warranty or
representation as to the accuracy or reliability of the message and files
and does not necessarily endorse any opinions expressed within it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to retain Module-Failure-Message from inner-tunnel when using PEAP

Alan Buxey
hi,

what version is your server?  often you will get or read suggestions that
would be for the later version...or sometimes hideously old advice that
only worked on a v2.x box! ;-)

alan

On Thu, 3 Jan 2019 at 14:37, Peter Steadman <[hidden email]>
wrote:

> Hello
> I am struggling to extract the inner-tunnel reject message to linelog and
> should be grateful for some help please.
> Instead of getting;
>
>   Module-Failure-Message := "Rejected: User-Name contains whitespace"
>
> the cached message it is being replaced in the final eap exchange by;
>
>  The users session was previously rejected: returning reject (again.)
>
> I did find this post;
>
> http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.html
>  which is exactly my issue helpfully with a solution, but unfortunately I
> seem to be struggling to apply the solution.
>
>  - in inner-tunnel, post-auth-type Reject, do:
>
> update outer.session-state {
> Module-Failure-Message := &request:Module-Failure-Message
> }
>
>
> This seems to work ok but when I try applying the second part;
>
>   And then in the “default” virtual server, post-auth section, you can use:
>
> %{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}
>
> I just get the error "Missing attribute value" when trying to start the
> server which leads me to suspect that I am not putting this in right place
> or formatting it incorrectly.
> Could someone please give me an example of this
> "%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}"
> in the context of the post-auth section.
> many thanks
> Pete
>
> --
>
>
>
>
>
>
>
>
>
>
>
>  <https://twitter.com/warwickshirecol>
> <https://www.facebook.com/WarwickshireCollege>
> <https://www.linkedin.com/edu/warwickshire-college-group-355076>
> <https://www.instagram.com/warwickshirecol/>
>
>
>
>
>
>
>
>
>
>
> College Email
> Disclaimer
>
>
> This message and any files transmitted with it is intended for
> the addressee only and may contain information that is confidential or
> privileged.
>
>
> Unauthorised use is strictly prohibited and may be unlawful.
> If you are not the addressee, you should not read, copy, disclose or
> otherwise use this message, otherwise than to notify the College via
> [hidden email] <mailto:[hidden email]>. You should
> delete this message and any files transmitted with it from your computer
> and destroy any copies made.
>
>
> Warwickshire College gives no warranty or
> representation as to the accuracy or reliability of the message and files
> and does not necessarily endorse any opinions expressed within it.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to retain Module-Failure-Message from inner-tunnel when using PEAP

Peter Steadman
Hi Alan
FreeRADIUS Version 3.0.17
I think it is more about my lack of understanding.........I am working on
it but really struggling with this problem!
I understand what is going wrong just struggling to fix it.
regards
Pete

On Thu, 3 Jan 2019 at 15:04, Alan Buxey <[hidden email]> wrote:

> hi,
>
> what version is your server?  often you will get or read suggestions that
> would be for the later version...or sometimes hideously old advice that
> only worked on a v2.x box! ;-)
>
> alan
>
> On Thu, 3 Jan 2019 at 14:37, Peter Steadman <[hidden email]>
> wrote:
>
> > Hello
> > I am struggling to extract the inner-tunnel reject message to linelog and
> > should be grateful for some help please.
> > Instead of getting;
> >
> >   Module-Failure-Message := "Rejected: User-Name contains whitespace"
> >
> > the cached message it is being replaced in the final eap exchange by;
> >
> >  The users session was previously rejected: returning reject (again.)
> >
> > I did find this post;
> >
> >
> http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.html
> >  which is exactly my issue helpfully with a solution, but unfortunately I
> > seem to be struggling to apply the solution.
> >
> >  - in inner-tunnel, post-auth-type Reject, do:
> >
> > update outer.session-state {
> > Module-Failure-Message := &request:Module-Failure-Message
> > }
> >
> >
> > This seems to work ok but when I try applying the second part;
> >
> >   And then in the “default” virtual server, post-auth section, you can
> use:
> >
> > %{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}
> >
> > I just get the error "Missing attribute value" when trying to start the
> > server which leads me to suspect that I am not putting this in right
> place
> > or formatting it incorrectly.
> > Could someone please give me an example of this
> > "%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}"
> > in the context of the post-auth section.
> > many thanks
> > Pete
> >
> > --
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >  <https://twitter.com/warwickshirecol>
> > <https://www.facebook.com/WarwickshireCollege>
> > <https://www.linkedin.com/edu/warwickshire-college-group-355076>
> > <https://www.instagram.com/warwickshirecol/>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > College Email
> > Disclaimer
> >
> >
> > This message and any files transmitted with it is intended for
> > the addressee only and may contain information that is confidential or
> > privileged.
> >
> >
> > Unauthorised use is strictly prohibited and may be unlawful.
> > If you are not the addressee, you should not read, copy, disclose or
> > otherwise use this message, otherwise than to notify the College via
> > [hidden email] <mailto:[hidden email]>. You should
> > delete this message and any files transmitted with it from your computer
> > and destroy any copies made.
> >
> >
> > Warwickshire College gives no warranty or
> > representation as to the accuracy or reliability of the message and files
> > and does not necessarily endorse any opinions expressed within it.
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



--

Peter Steadman
IT Services
Warwickshire Colleges
(01926) 319027

[hidden email]
http://www.warwickshire.ac.uk/

--











 <https://twitter.com/warwickshirecol>  
<https://www.facebook.com/WarwickshireCollege>  
<https://www.linkedin.com/edu/warwickshire-college-group-355076
<https://www.instagram.com/warwickshirecol/>










College Email
Disclaimer


This message and any files transmitted with it is intended for
the addressee only and may contain information that is confidential or
privileged.


Unauthorised use is strictly prohibited and may be unlawful.
If you are not the addressee, you should not read, copy, disclose or
otherwise use this message, otherwise than to notify the College via
[hidden email] <mailto:[hidden email]>. You should
delete this message and any files transmitted with it from your computer
and destroy any copies made.


Warwickshire College gives no warranty or
representation as to the accuracy or reliability of the message and files
and does not necessarily endorse any opinions expressed within it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: How to retain Module-Failure-Message from inner-tunnel when using PEAP

Alan DeKok-2
In reply to this post by Peter Steadman
On Jan 3, 2019, at 9:36 AM, Peter Steadman <[hidden email]> wrote:

>
> Hello
> I am struggling to extract the inner-tunnel reject message to linelog and
> should be grateful for some help please.
> Instead of getting;
>
>  Module-Failure-Message := "Rejected: User-Name contains whitespace"
>
> the cached message it is being replaced in the final eap exchange by;
>
> The users session was previously rejected: returning reject (again.)
>
> I did find this post;
> http://lists.freeradius.org/pipermail/freeradius-users/2014-December/074957.html
> which is exactly my issue helpfully with a solution, but unfortunately I
> seem to be struggling to apply the solution.

  OK...

> - in inner-tunnel, post-auth-type Reject, do:
>
> update outer.session-state {
> Module-Failure-Message := &request:Module-Failure-Message
> }

  That copies the inner Module-Failure-Message attribute to the outer session-state list.

> This seems to work ok but when I try applying the second part;
>
>  And then in the “default” virtual server, post-auth section, you can use:
>
> %{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}
>
> I just get the error "Missing attribute value" when trying to start the
> server which leads me to suspect that I am not putting this in right place
> or formatting it incorrectly.

  You can't just put random strings into the config and expect them to work.

> Could someone please give me an example of this
> "%{%{session-state:Module-Failure-Message}:-%{Module-Failure-Message}}"
> in the context of the post-auth section.

  You can't put a string expansion into the post-auth section.  You MUST assign the string expansion to an attribute, OR just use the string expansion in an existing string...

  i.e. edit the linelog module config.  You will see that the "messages" section contain string expansions like %{User-Name}.  You can then put the Module-Failure-Message expansion there.

  And please also read "man unlang" to see the format of the configuration files, and how the string expansions work.  This is all documented.

  Alan DEKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html