|
> How can I add
default Reply-Message to the situation where Access-Reject was sent because of
incorrect password? > I looked at the
user’s file but it seams that I have no way to determine if access-accept
or reject was sent… it only has example how to send the message to a
reject > group. If you’re using LDAP, it already creates
a Module-Failure-Message request attribute upon failure. Also, I
submitted bug 398 which Alan incorporated into CVS head to provide the same
functionality for MS-CHAP (I assume this will be in FR 1.1.4). You could
execute a Perl script in a reject section of post_auth that looks for this
request attribute and, if found, set the Reply-Message reply attribute.
If you’re using a different authentication method, it may be possible to
change the code to accomplish what you want. As someone else pointed out,
it’s not a good idea to tell someone they entered the wrong password as
it makes brute-force password attacks easier (because you’re telling them
the userid is valid). I believe ntlm_auth gives a generic (invalid userid
or password) response to a bad password. If the response you see is too
specific, you may want to obfuscate it.. Here’s an example of what you would
put in radiusd.conf (this assumes you have a sub in your perl script called
post_auth_reject): modules { . . . perl set_reject_message { module
= /usr/local/etc/raddb/set_reject_message.pl func_post_auth
= post_auth_reject } . . . } . . . post-auth {
Post-Auth-Type REJECT {
set_reject_message
} } |