PEAP / mschapv2 Error Messages
Michael Bryant
michael.bryant at sjc.ox.ac.uk
Thu Aug 13 21:33:23 CEST 2009
>
> unlang? set a variable to the value of MS-CHAP-Error and then set the Reply-Message
> to be some text with that variable in it.
>
Unfortunately, this sends it back in the next packet, which is an
Access-Challenge, not in the final Access-Reject.
Also, for some strange reason, the post-auth section in the inner-tunnel
only gets called on a successful auth, not on a failure, so I can't
output the failure to sql there either.
> alternatively you could probably call PERL pr pythin etc at the right time and
> do the required variable and reply-message settings with those languages instead
>
> however....by sending such messages the remote user knows the reason for failure
> eg incorrect password but a successful user...and could bruteforce
I plan to do something along the lines of:
MS-Chap-Error=User wrong => login failed
MS-Chap-Error=PAss wrong => login failed
MS-Chap-Error=Account locked => Account locked
--Mike
More information about the Freeradius-Users
mailing list