DEFAULT access-reject Reply-Message

Alex M radiussupport at lrcommunications.net
Fri Dec 1 19:12:22 CET 2006 

Ok I got the idea how to initiate the the script on reject event, but what
should go in post_auth_reject.pl? I have absolutely no experience with Perl.
I probably would be able to figure out something but not sure how. I assume
I would listen to something like if username exist, if username exist and
password incorrect. Still I have no idea how to do this :-(

 

 

 

 

  _____  

From:
freeradius-users-bounces+radiussupport=lrcommunications.net at lists.freeradius
.org
[mailto:freeradius-users-bounces+radiussupport=lrcommunications.net at lists.fr
eeradius.org] On Behalf Of Garber, Neal
Sent: Friday, December 01, 2006 10:40 AM
To: FreeRadius users mailing list
Subject: RE: DEFAULT access-reject Reply-Message

 

> How can I add default Reply-Message to the situation where Access-Reject
was sent because of incorrect password?

> I looked at the user's file but it seams that I have no way to determine
if access-accept or reject was sent. it only has example how to send the
message to a reject > group. 

 

If you're using LDAP, it already creates a Module-Failure-Message request
attribute upon failure.  Also, I submitted bug 398 which Alan incorporated
into CVS head to provide the same functionality for MS-CHAP (I assume this
will be in FR 1.1.4).  You could execute a Perl script in a reject section
of post_auth that looks for this request attribute and, if found, set the
Reply-Message reply attribute.  If you're using a different authentication
method, it may be possible to change the code to accomplish what you want.
As someone else pointed out, it's not a good idea to tell someone they
entered the wrong password as it makes brute-force password attacks easier
(because you're telling them the userid is valid).  I believe ntlm_auth
gives a generic (invalid userid or password) response to a bad password.  If
the response you see is too specific, you may want to obfuscate it..

 

Here's an example of what you would put in radiusd.conf (this assumes you
have a sub in your perl script called post_auth_reject):

 

modules { 

.

.

.

   perl set_reject_message {

          module = /usr/local/etc/raddb/set_reject_message.pl

          func_post_auth = post_auth_reject

   }

.

.

.

}

.

.

.

post-auth {

        Post-Auth-Type REJECT {

           set_reject_message

        }

}

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061201/ce311523/attachment.html>

More information about the Freeradius-Users mailing list