14.3.3 Auth-Failure-Trigger

This attribute specifies an external program or a Scheme expression to be run upon an authentication failure. The handling of this attribute depends upon its value:

If the value of Auth-Failure-Trigger begins with `/', it is taken to contain a command line for invoking an external program. In this case radiusd invokes the program much the same way it does when handling Exec-Program attribute, i.e. the program is invoked with standard input closed, its standard output and standard error are captured and redirected to `radlog/radius.stderr' file, the return value of the program is ignored.

If the value of Auth-Failure-Trigger begins with `(', it is executed it as a Scheme expression. The return value of the expression is ignored.

This attribute is designed as a means to provide special handling for authentication failures. It can be used, for example, to increase failure counters and to block accounts after a specified number of authentication failures occurs. See section 7.10 Controlling Authentication Probes, for the detailed discussion of its usage.

<FIXME> There is no corresponding Auth-Success-Trigger... Exec-Program or Scheme-Procedure may be used for the purpose, the latter, however, is not able to execute s-exps. At the time of this writing the release 1.3 is being prepared, so I do not want to introduce any possibly destabilizing changes. This will be fixed in future releases. </>