[Help] Is that possible to change the reject message that appears at the Windows Pop Up

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Mar 21 18:56:53 CET 2013


On 21 Mar 2013, at 13:26, Jouni Malinen <jkmalinen at gmail.com> wrote:

> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell
> <a.cudbardb at freeradius.org> wrote:
>> The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure.
> 
> This is not compliant with the EAP specification (EAP-Notification
> needs to be sent prior to completion of an EAP authentication method).
> Sending it after EAP-Success or EAP-Failure would look like an attempt
> to initiate another authentication exchange.

Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed.

>> It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything.
> 
> EAP-Notification is not really supported in general and even the
> specification does not really require displaying anything from this
> message to the user.. There is also no way of authenticating this
> information, so this would not be ideal for authorization failures.

Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this.

-Arran


More information about the Freeradius-Users mailing list