Re: How to return Reply-Message when user submitted wrong password

["Lee Sing Chyun" <singchyun@gmail.com>]

On Nov 9, 2007 2:11 PM, Patric <patrict@bluebottle.com> wrote:

Lee Sing Chyun wrote:
> Hi,
>
> Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong
> Password') when the user tries to authenticate with a wrong password?
>
> My current configuration is using rlm_pap and rlm_sql for authorization
> and authentication. FreeRADIUS version is 1.1.7.
>
> Thanks in advance!
>
> --
> Best Regards,
> SC

Be careful with this, do you REALLY want to tell a possible attacker
what they are doing wrong? Also many clients will completely ignore the
reply message anyway...

HTH
Patric

Hi Patric, 

Thanks for your timely warning! :-)

The reason I wanted to set the Reply-Message with intuitive messages is because I have modified sql.conf to log the Reply-Message into radpostauth table:

postauth_query = "INSERT into ${postauth_table} (user, pass, reply,
date, reason) values ('%{User-Name}',
'%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', NOW(),
'%{reply:Reply-Message}')"

The above worked fine for these scenarios: 
- Failed Simultaneous-Use checks : Reply-Message was "You are already logged in - access denied".
- Failed Login-Time checks: Reply-Message was "You are calling outside your allowed timespan"
- Failed Expiration checks: Reply-Message was "Password Has Expired"

But in the scenario of wrong passwords, I notice the Reply-Message was empty. Hence, I'm looking for ways to log down "wrong passwords" reasons into the radpostauth table.

-- 
Best Regards,
SC