Expiration Module Not Returning the Error Message

Fajar A. Nugraha list at fajar.net
Tue Sep 6 07:28:18 CEST 2011


On Tue, Sep 6, 2011 at 11:41 AM, Det Det <det.explorer at yahoo.com> wrote:
> Hi,
> The expiration module works but it is not returning the error message.
> Everytime I include the Expiration attribute and set date accordingly. The
> user is denied login. The reason is because the account expired and NOT
> because there is "no known good password found" as shown below. How to tell
> RADIUS to stop processing anything after expiration check? I suspect it
> proceeds the rest of the checks and so the error message has been
> overwritten by other modules' error message.
>
>
> +++[sql2] returns ok
> ++- redundant-load-balance group redundant_load_balance_sql returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop

Works for me. From modules/expiration: "It should be included in the
*end* of the authorize section in order to handle user Expiration" (or
just uncomment expiration line in sites-available/default). The debug
log should show something like this

[expiration] Checking Expiration time: '2011 Sep 6 03:00:00'
[expiration] Account has expired
[expiration] 	expand: Password Has Expired   -> Password Has Expired
++[expiration] returns userlock
Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]):
[testuser] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> testuser
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 242 to 127.0.0.1 port 52990
	Reply-Message += "Password Has Expired\r\n"

If it doesn't, then either:
- you're using an old FR version with some bugs regarding expiration
on it, in which case you should upgrade, or
- you didn't list expiration in authorize section, or
- you didn't have Expiration attribute for your user (in users
file/sql/whatever)

-- 
Fajar




More information about the Freeradius-Users mailing list