How to return Reply-Message when user submitted wrong password

[Lee Sing Chyun]

On Nov 9, 2007 2:11 PM, Patric <patrict at bluebottle.com> wrote:

> Lee Sing Chyun wrote:
> > Hi,
> >
> > Is there a way to reply with a intuitive Reply-Message (for e.g., 'Wrong
> > Password') when the user tries to authenticate with a wrong password?
> >
> > My current configuration is using rlm_pap and rlm_sql for authorization
> > and authentication. FreeRADIUS version is 1.1.7.
> >
> > Thanks in advance!
> >
> > --
> > Best Regards,
> > SC
>
> Be careful with this, do you REALLY want to tell a possible attacker
> what they are doing wrong? Also many clients will completely ignore the
> reply message anyway...
>
> HTH
> Patric <http://www.freeradius.org/list/users.html>
>

Hi Patric,

Thanks for your timely warning! :-)

The reason I wanted to set the Reply-Message with intuitive messages is
because I have modified sql.conf to log the Reply-Message into radpostauth
table:

postauth_query = "INSERT into ${postauth_table} (user, pass, reply, date,
reason) values ('%{User-Name}', '%{User-Password:-Chap-Password}',
'%{reply:Packet-Type}', NOW(), '%{reply:Reply-Message}')"

The above worked fine for these scenarios:
- Failed Simultaneous-Use checks : Reply-Message was "You are already logged
in - access denied".
- Failed Login-Time checks: Reply-Message was "You are calling outside your
allowed timespan"
- Failed Expiration checks: Reply-Message was "Password Has Expired"

But in the scenario of wrong passwords, I notice the Reply-Message was
empty. Hence, I'm looking for ways to log down "wrong passwords" reasons
into the radpostauth table.

-- 
Best Regards,
SC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071109/94dcbd87/attachment.html>