Need info about Reply-Message configuration in Access-Reject
Joe Maimon
jmaimon at ttec.com
Wed Nov 23 13:59:25 CET 2005
Vishwanath Srikant Pattanshetti wrote:
> Hi all
>
>
>
> Following is my setup:
>
> I have a FreeRADIUS server (1.0.4) on a solaris machine.
>
> My clients and users information are stored in Oracle database.
>
>
>
> If an Access-request is rejected, it can be for two reasons:
>
> 1. Wrong password.
> 2. User does not exist in RADIUS server database.
>
> I want to send appropriate messages in Access-Reject packets, to the
> client.
>
> Can some one tell me how can I configure a Reply-Message for an
> Access-Reject packet?
If in your users file you set the reply message, it will be returned
even if the user did not authenticate correctly.
>
> I tried putting Reply-Message along with other reply items for a user,
> but this configures Reply-Message
>
> only for Access-Accept message.
>
>
Use fall-through, or a DEFAULT at the bottom of the users file.
Dont know offhand how you will be able to tell the differences in why
the reject happened. Not sure you would want to -- it could be helpfull
for those attempting to brute force your system.
Please consider this FAQ entry before you spend more time and effort on
Reply-Message attribute
http://www.freeradius.org/faq/#5.1
>
> Also when the user does not exist in the database, is there a way I can
> add appropriate message using
>
> Reply-Item to the Access-Reject packet? Or is it not possible with
> current FreeRADIUS?
>
Modify the sql string to return either the users attributes or the
reply-message attribute.
>
>
> In addition to the above I need to setup an external RADIUS server to
> which I need to proxy Access-Requests.
>
> If such an external RADIUS server down, when an Access-Request is
> proxied to it, then my primary RADIUS server
>
> Would need to generate a Access-Reject packet(after retries), is there a
> way I can specify a Reply-Item in any such
Yes, you can match on the realm.
The question becomes how do you ensure the reply-messages arent sent
when the login is successfull.
>
> Access-Reject packet?? Or is it not possible with current implementation
> of FreeRADIUS.
>
>
>
> Any quick help would be of great help
>
>
Your probably wasting your time with the Reply-Message attribute, its
mostly usefull for debugging
>
> Thanks in advance.
>
> Regards.
>
> -Vishwa.
>
>
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
More information about the Freeradius-Devel
mailing list