> How can I add
default Reply-Message to the situation where Access-Reject was sent because of
incorrect password?
> I looked at the
user’s file but it seams that I have no way to determine if access-accept
or reject was sent… it only has example how to send the message to a
reject > group.
If you’re using LDAP, it already creates
a Module-Failure-Message request attribute upon failure. Also, I
submitted bug 398 which Alan incorporated into CVS head to provide the same
functionality for MS-CHAP (I assume this will be in FR 1.1.4). You could
execute a Perl script in a reject section of post_auth that looks for this
request attribute and, if found, set the Reply-Message reply attribute.
If you’re using a different authentication method, it may be possible to
change the code to accomplish what you want. As someone else pointed out,
it’s not a good idea to tell someone they entered the wrong password as
it makes brute-force password attacks easier (because you’re telling them
the userid is valid). I believe ntlm_auth gives a generic (invalid userid
or password) response to a bad password. If the response you see is too
specific, you may want to obfuscate it..
Here’s an example of what you would
put in radiusd.conf (this assumes you have a sub in your perl script called
post_auth_reject):
modules {
.
.
.
perl set_reject_message {
module
= /usr/local/etc/raddb/set_reject_message.pl
func_post_auth
= post_auth_reject
}
.
.
.
}
.
.
.
post-auth {
Post-Auth-Type REJECT {
set_reject_message
}
}