Expiration Module Not Returning the Error Message

Det Det det.explorer at yahoo.com
Tue Sep 6 09:53:16 CEST 2011


hey thanks! it's working now. it was because the op in radcheck is "==" which is the default from the schema. I changed it to ":=" and it is working now. :)



________________________________
From: Fajar A. Nugraha <list at fajar.net>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Tuesday, September 6, 2011 1:28 PM
Subject: Re: Expiration Module Not Returning the Error Message

On Tue, Sep 6, 2011 at 11:41 AM, Det Det <det.explorer at yahoo.com> wrote:
> Hi,
> The expiration module works but it is not returning the error message.
> Everytime I include the Expiration attribute and set date accordingly. The
> user is denied login. The reason is because the account expired and NOT
> because there is "no known good password found" as shown below. How to tell
> RADIUS to stop processing anything after expiration check? I suspect it
> proceeds the rest of the checks and so the error message has been
> overwritten by other modules' error message.
>
>
> +++[sql2] returns ok
> ++- redundant-load-balance group redundant_load_balance_sql returns ok
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  Authentication
> may fail because of this.
> ++[pap] returns noop

Works for me. From modules/expiration: "It should be included in the
*end* of the authorize section in order to handle user Expiration" (or
just uncomment expiration line in sites-available/default). The debug
log should show something like this

[expiration] Checking Expiration time: '2011 Sep 6 03:00:00'
[expiration] Account has expired
[expiration]     expand: Password Has Expired   -> Password Has Expired
++[expiration] returns userlock
Invalid user (Account has expired [Expiration 2011 Sep 6 03:00:00]):
[testuser] (from client localhost port 0)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 242 to 127.0.0.1 port 52990
    Reply-Message += "Password Has Expired\r\n"

If it doesn't, then either:
- you're using an old FR version with some bugs regarding expiration
on it, in which case you should upgrade, or
- you didn't list expiration in authorize section, or
- you didn't have Expiration attribute for your user (in users
file/sql/whatever)

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110906/b5fd29e1/attachment.html>


More information about the Freeradius-Users mailing list