1. For determining session expiry, i can see the Reply-Message for session timeout from rlm_expiration module. But for determining locked users, i think rlm_unix doesnt pass RLM_MODULE_USERLOCK as part of Reply-Message.
No. But have a look at "man unlang" and module return codes. You can use unlang to set Reply-Message in such cases.
2. For determining if user named xyz has typed wrong passwd and his privilage level, , i will keep /etc/raddb/users entry as
xyz Auth-Type := Reject , User-password =~ "*" Reply-Message = "Invalid passwd for xyz(level 2)."
I am not quite sure what you mean. Does your user have multiple entries where privilege level is determined by password? Like: xyz User-Password 1 Priv-Level 1 xyz User-Password 2 Priv-Level 2 You will not be able to determine which (level) password he wanted to use if he misses. You can remove password attribute from check line and level from the reply entry.
I can parse Reply-Message to determine the privilage. Is this the right way to determine the user privilage?
3. For determining if the user is a valid radius user, i will keep this entry at the end in the /etc/raddb/users :
DEFAULT Auth-Type := Reject Reply-Message = "Invalid user"
That's fine. Ivan Kalik Kalik Informatika ISP