PEAP / mschapv2 Error Messages

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri Aug 14 12:32:43 CEST 2009


On 14/08/2009 07:51, Alan DeKok wrote:
> Michael Bryant wrote:
>>> unlang? set a variable to the value of MS-CHAP-Error and then set the Reply-Message
>>> to be some text with that variable in it.
>>>
>> Unfortunately, this sends it back in the next packet, which is an
>> Access-Challenge, not in the final Access-Reject.
>
>    Sending Reply-Message in an Access-Reject is not permitted for EAP
> sessions.  It is also not supported by any NAS.
>

Sending a Reply-Message is not permitted in any packet where an EAP-Message attribute is included.

>    What you want to do is impossible.  Even if you get FreeRADIUS to send
> a Reply-Message, it will get ignored by the NAS and the client PC.  As a
> result, the message will do *nothing* useful.

Depends on the NAS. But yeah, doing this breaks things. The best thing you can do is log the error in the post-auth section.

If you want the users to fix the issues themselves, then it'd be pretty easy to write a small web app to look through the failure codes and convert them into something humanly readable.

Arran

-- 
Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list