Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)

[Martin Goldstone]

On 24/05/11 12:46, Phil Mayers wrote:
> On 24/05/11 12:16, Martin Goldstone wrote:
>> Hello,
>>
>> Just looking for a bit of advice here.  I've been setting up freeradius
>> here recently, and whilst I'm mostly finished, there are a few points
>> that still need to be addressed.  The main one is sending a (semi)
>> meaningful reply message when a user is rejected.  Unfortunately, I'm
>> having trouble figuring out how to return a Reply-Message from with in
>> the inner tunnel.  Well, to be more specific, returning that
>> Reply-Message within the final Access-Reject.
> 
> Do you have this in eap.conf:
> 
>  eap {
>   peap {
>     use_tunneled_reply = yes
>   }
>  }
> 
> ?

Yes, I have this in both the peap stanza and the ttls stanza.  This
seems to be fine when access is accepted, for example if I set a
Reply-Message saying "Welcome" in the post-auth section of the
inner-tunnel config, I see this in the final access-accept message.
Also, the output from freeradius -X suggests that (in the case of a user
rejection) it gets the reply from the tunnel and that tunneled
authentication is rejected, but immediately after that it sends an
Access-Challenge out, and then upon receipt of another Access-Request,
goes in to peap, figures it has already rejected this one, and finally
sends an Access-Reject, but without any Reply-Message I tried to set in
the inner-tunnel.  If I put something in the Post-Auth REJECT section of
the outer tunnel, it works, but unfortunately at this point it has no
idea of what it had previously set as a Reply-Message, so I can only
send an arbitrary string, such as "Authentication Failure", which is a
little obvious and unhelpful.

Thanks
-- 

Martin Goldstone            Keele University, Keele,
IT Systems Administrator    Staffordshire, United Kingdom, ST5 5BG
Finance & IT                Telephone: +44 1782 734457