RE: DEFAULT access-reject Reply-Message

Ok I got the idea how to initiate the the script on reject event, but what should go in post_auth_reject.pl? I have absolutely no experience with Perl. I probably would be able to figure out something but not sure how. I assume I would listen to something like if username exist, if username exist and password incorrect. Still I have no idea how to do this L

 

 

 

 

From: freeradius-users-bounces+radiussupport=lrcommunications.net@lists.freeradius.org [mailto:freeradius-users-bounces+radiussupport=lrcommunications.net@lists.freeradius.org] On Behalf Of Garber, Neal
Sent: Friday, December 01, 2006 10:40 AM
To: FreeRadius users mailing list
Subject: RE: DEFAULT access-reject Reply-Message

 

> How can I add default Reply-Message to the situation where Access-Reject was sent because of incorrect password?

> I looked at the user’s file but it seams that I have no way to determine if access-accept or reject was sent… it only has example how to send the message to a reject > group.

 

If you’re using LDAP, it already creates a Module-Failure-Message request attribute upon failure.  Also, I submitted bug 398 which Alan incorporated into CVS head to provide the same functionality for MS-CHAP (I assume this will be in FR 1.1.4).  You could execute a Perl script in a reject section of post_auth that looks for this request attribute and, if found, set the Reply-Message reply attribute.  If you’re using a different authentication method, it may be possible to change the code to accomplish what you want.  As someone else pointed out, it’s not a good idea to tell someone they entered the wrong password as it makes brute-force password attacks easier (because you’re telling them the userid is valid).  I believe ntlm_auth gives a generic (invalid userid or password) response to a bad password.  If the response you see is too specific, you may want to obfuscate it..

 

Here’s an example of what you would put in radiusd.conf (this assumes you have a sub in your perl script called post_auth_reject):

 

modules {

.

.

.

   perl set_reject_message {

          module = /usr/local/etc/raddb/set_reject_message.pl

          func_post_auth = post_auth_reject

   }

.

.

.

}

.

.

.

post-auth {

        Post-Auth-Type REJECT {

           set_reject_message

        }

}

This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.