Expiration Module Not Returning the Error Message
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is "no known good password found" as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message. +++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop thanks, det
On Tue, Sep 6, 2011 at 11:41 AM, Det Det <det.explorer@yahoo.com> wrote:
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is "no known good password found" as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message.
+++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop
Works for me. From modules/expiration: "It should be included in the *end* of the authorize section in order to handle user Expiration" (or just uncomment expiration line in sites-available/default). The debug log should show something like this [expiration] Checking Expiration time: '2011 Sep 6 03:00:00' [expiration] Account has expired [expiration] expand: Password Has Expired -> Password Has Expired ++[expiration] returns userlock Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]): [testuser] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 242 to 127.0.0.1 port 52990 Reply-Message += "Password Has Expired\r\n" If it doesn't, then either: - you're using an old FR version with some bugs regarding expiration on it, in which case you should upgrade, or - you didn't list expiration in authorize section, or - you didn't have Expiration attribute for your user (in users file/sql/whatever) -- Fajar
hey thanks! it's working now. it was because the op in radcheck is "==" which is the default from the schema. I changed it to ":=" and it is working now. :) ________________________________ From: Fajar A. Nugraha <list@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, September 6, 2011 1:28 PM Subject: Re: Expiration Module Not Returning the Error Message On Tue, Sep 6, 2011 at 11:41 AM, Det Det <det.explorer@yahoo.com> wrote:
Hi, The expiration module works but it is not returning the error message. Everytime I include the Expiration attribute and set date accordingly. The user is denied login. The reason is because the account expired and NOT because there is "no known good password found" as shown below. How to tell RADIUS to stop processing anything after expiration check? I suspect it proceeds the rest of the checks and so the error message has been overwritten by other modules' error message.
+++[sql2] returns ok ++- redundant-load-balance group redundant_load_balance_sql returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop
Works for me. From modules/expiration: "It should be included in the *end* of the authorize section in order to handle user Expiration" (or just uncomment expiration line in sites-available/default). The debug log should show something like this [expiration] Checking Expiration time: '2011 Sep 6 03:00:00' [expiration] Account has expired [expiration] expand: Password Has Expired -> Password Has Expired ++[expiration] returns userlock Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]): [testuser] (from client localhost port 0) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 242 to 127.0.0.1 port 52990 Reply-Message += "Password Has Expired\r\n" If it doesn't, then either: - you're using an old FR version with some bugs regarding expiration on it, in which case you should upgrade, or - you didn't list expiration in authorize section, or - you didn't have Expiration attribute for your user (in users file/sql/whatever) -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Det Det -
Fajar A. Nugraha