PEAP / mschapv2 Error Messages
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Thu Aug 13 20:58:15 CEST 2009
Hi,
> Hi,
> Using the default eap/peap & inner-tunnel configuration, a failure gives rise to
> this:
>
> Exec-Program output: Logon failure (0xc000006d)
> Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
> Exec-Program: returned: 1
> [mschap] External script failed.
> [mschap] FAILED: MS-CHAP2-Response is incorrect
> ++[mschap] returns reject
> [eap] Freeing handler
> ++[eap] returns reject
> Failed to authenticate the user.
> } # server inner-tunnel
> [peap] Got tunneled reply code 3
> MS-CHAP-Error = "\nE=691 R=1"
> EAP-Message = 0x040a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Got tunneled reply RADIUS code 3
> MS-CHAP-Error = "\nE=691 R=1"
> EAP-Message = 0x040a0004
> Message-Authenticator = 0x00000000000000000000000000000000
> [peap] Tunneled authentication was rejected.
> [peap] FAILURE
> ++[eap] returns handled
>
> How can I take that MS-Chap-Error attribute and pass it back in the final
> access-reject, as a Reply-Message attribute for example.
unlang? set a variable to the value of MS-CHAP-Error and then set the Reply-Message
to be some text with that variable in it.
alternatively you could probably call PERL pr pythin etc at the right time and
do the required variable and reply-message settings with those languages instead
however....by sending such messages the remote user knows the reason for failure
eg incorrect password but a successful user...and could bruteforce
alan
More information about the Freeradius-Users
mailing list