Reply-message stripped from access-reject response
Phil Mayers
p.mayers at imperial.ac.uk
Sat May 14 12:59:33 CEST 2011
On 05/14/2011 11:28 AM, sbcsgjmbbz at snkmail.com wrote:
> Hi,
>
> Using freeradius 1.1.3. Im trying to get freeradius to return a helpful
> reply-message in access-rejects to the NAS but the reply-message seems
> to get stripped from the access-reject packet. Ive configured the
> reply-message as below in /etc/raddb/sites-enabled/default
>
> post-auth {
> sql
> exec
> Post-Auth-Type REJECT {
> # Login failed
> update reply {
> Reply-Message = "Login Failure"
> }
> sql
> attr_filter.access_reject
> }
> }
>
> Using wireshark on the radius server, I can see the correct
> reply-message AVP as below
>
> Radius Protocol
> Code: Access-Reject (3)
> Packet identifier: 0xda (218)
> Length: 35
> Authenticator: a6208196777dac6e68b45f647a46bc44
> [This is a response to a request in frame 1]
> [Time from request: 1.000227000 seconds]
> Attribute Value Pairs
> AVP: l=15 t=Reply-Message(18): Login Failure
> Reply-Message: Login Failure
>
> However, on the receiving NAS, using wireshark, there is no
> reply-message AVP!
What is between the radius server and NAS? Something must be, because
it's modifying the packet. Do you have an intermediate proxy server?
More information about the Freeradius-Users
mailing list