Hi guys, Having just come from a meeting, I've not actually had a chance to do any research myself, and hoped to lean on the community a little. A concern was put forward regarding password policies for policies stored in a radius server. Now, policies like "Must be 8 characters" and "must have 2 numbers" can be handled easily enough in form processing on some sort of front end, however, is it possible have a radius password expire after a set period of time, and then send back a specific message saying that the password has expired? (ie one month?) Many Thanks, Justin Steward
A concern was put forward regarding password policies for policies stored in a radius server. Now, policies like "Must be 8 characters" and "must have 2 numbers" can be handled easily enough in form processing on some sort of front end, however, is it possible have a radius password expire after a set period of time,
Yes.
and then send back a specific message saying that the password has expired? (ie one month?)
Yes. The only problem is that most supplicants will ignore this message and never display it to the user. Ivan Kalik Kalik Informatika ISP
On Mon, Sep 14, 2009 at 6:25 PM, Ivan Kalik <tnt@kalik.net> wrote:
Yes. The only problem is that most supplicants will ignore this message and never display it to the user.
That's not a problem as I'll be extending the client application to add in the password policy mechanisms, I can force it to behave however I want (almost). How would I go about configuring radius to send an expired message? Ideally the message would form part of an access-reject statement. Many Thanks, Justin
Justin Steward wrote:
That's not a problem as I'll be extending the client application to add in the password policy mechanisms, I can force it to behave however I want (almost). How would I go about configuring radius to send an expired message? Ideally the message would form part of an access-reject statement.
Then it has to go into a Reply-Message attribute. Unless you're doing EAP. In which case you have to extend the EAP authentication method to handle sending messages inside of EAP. Alan DeKok.
On Tue, Sep 15, 2009 at 8:31 AM, Alan DeKok <aland@deployingradius.com>wrote:
Then it has to go into a Reply-Message attribute.
Unless you're doing EAP. In which case you have to extend the EAP authentication method to handle sending messages inside of EAP.
http://wiki.freeradius.org/Radiusd.conf Has a short section discussing the "Expiration module" (Which didn't seem to exist in my config) Copied that into my config, set up a user with an "Expiration" attribute of last month, and voila, rad_recv: Access-Reject packet from host xxx.xxx.xxx.xxx port 1812, id=31, length=44 Reply-Message = "Password Has Expired\r\n" Thanks guys, now to get the front end co-operating. ~Justin
participants (4)
-
Alan DeKok -
Ivan Kalik -
Justin Steward -
Justin Steward