How can I add default Reply-Message to the situation where Access-Reject was sent because of incorrect password?
I looked at the user's file but it seams that I have no way to determine if access-accept or reject was sent... it only has example how to send the message to a reject > group.
If you're using LDAP, it already creates a Module-Failure-Message request attribute upon failure. Also, I submitted bug 398 which Alan incorporated into CVS head to provide the same functionality for MS-CHAP (I assume this will be in FR 1.1.4). You could execute a Perl script in a reject section of post_auth that looks for this request attribute and, if found, set the Reply-Message reply attribute. If you're using a different authentication method, it may be possible to change the code to accomplish what you want. As someone else pointed out, it's not a good idea to tell someone they entered the wrong password as it makes brute-force password attacks easier (because you're telling them the userid is valid). I believe ntlm_auth gives a generic (invalid userid or password) response to a bad password. If the response you see is too specific, you may want to obfuscate it.. Here's an example of what you would put in radiusd.conf (this assumes you have a sub in your perl script called post_auth_reject): modules { . . . perl set_reject_message { module = /usr/local/etc/raddb/set_reject_message.pl func_post_auth = post_auth_reject } . . . } . . . post-auth { Post-Auth-Type REJECT { set_reject_message } }