DEFAULT access-reject Reply-Message
Garber, Neal
Neal.Garber at energyeast.com
Fri Dec 1 16:39:38 CET 2006
> How can I add default Reply-Message to the situation where
Access-Reject was sent because of incorrect password?
> I looked at the user's file but it seams that I have no way to
determine if access-accept or reject was sent... it only has example how
to send the message to a reject > group.
If you're using LDAP, it already creates a Module-Failure-Message
request attribute upon failure. Also, I submitted bug 398 which Alan
incorporated into CVS head to provide the same functionality for MS-CHAP
(I assume this will be in FR 1.1.4). You could execute a Perl script in
a reject section of post_auth that looks for this request attribute and,
if found, set the Reply-Message reply attribute. If you're using a
different authentication method, it may be possible to change the code
to accomplish what you want. As someone else pointed out, it's not a
good idea to tell someone they entered the wrong password as it makes
brute-force password attacks easier (because you're telling them the
userid is valid). I believe ntlm_auth gives a generic (invalid userid
or password) response to a bad password. If the response you see is too
specific, you may want to obfuscate it..
Here's an example of what you would put in radiusd.conf (this assumes
you have a sub in your perl script called post_auth_reject):
modules {
.
.
.
perl set_reject_message {
module = /usr/local/etc/raddb/set_reject_message.pl
func_post_auth = post_auth_reject
}
.
.
.
}
.
.
.
post-auth {
Post-Auth-Type REJECT {
set_reject_message
}
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061201/70309d55/attachment.html>
More information about the Freeradius-Users
mailing list