---

13.3.3 Auth-Failure-Trigger

This attribute specifies an external program or a Scheme expression to be run upon an authentication failure. The handling of this attribute depends upon its value:

If the value of Auth-Failure-Trigger begins with ‘/’, it is taken to contain a command line for invoking an external program. In this case radiusd invokes the program much the same way it does when handling Exec-Program attribute, i.e. the program is invoked with standard input closed, its standard output and standard error are captured and redirected to radlog/radius.stderr file, the return value of the program is ignored.

If the value of Auth-Failure-Trigger begins with ‘(’, it is executed it as a Scheme expression. The return value of the expression is ignored.

This attribute is designed as a means to provide special handling for authentication failures. It can be used, for example, to increase failure counters and to block accounts after a specified number of authentication failures occurs. See Controlling Authentication Probes, for the detailed discussion of its usage.