unlang to customize error message

Stefano Zanmarchi zanmarchi at gmail.com
Wed May 4 15:57:24 CEST 2016

Thank you all, but it's not working.

Setting "send_error = yes" in mods-enabled/eap works fine: win 10 users are
prompted to reenter passwords.
Whereas statically setting Reply-Message in the "Post-Auth-Type Reject"
I've tried the following
Reply-Message := "E=691 R=1 C=f37de5ab4ddb5307091b96430c78400c V=3
M=Authentication failed"
(where C=f37de5ab4ddb5307091b96430c78400c is my invention) and win 10 users
are not prompted.

My guess is that "send_error = yes" works fine because of the challenge (
"C=..." ) dinamically set by Freeradius.
Since "send_error = yes" does the magic, is there an unlang-way to
have "send_error"
conditionally set to "yes" or  "no", based on a sql query?

Thanks again,

On Thu, Apr 28, 2016 at 2:10 PM, Alan DeKok <aland at deployingradius.com>

> On Apr 28, 2016, at 6:03 AM, Stefano Zanmarchi <zanmarchi at gmail.com>
> wrote:
> >
> > According to MS-CHAP-V2 standard in case of authentication failure the
> > Failure Packet should contain the following text in the Message
> > field: "E=691 R=... ..." .
> > Freeradius does send "E=691" if send_error is set to yes
> > in mods-enabled/eap, but this may cause (as stated in the comments)  some
> > clients not to work.
>   You can edit the reply in the "Post-Auth-Type Reject" section.  Just set
> the attribute to the value you need.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list