[Help] Is that possible to change the reject message that appears at the Windows Pop Up

David Mitton david at mitton.com
Thu Mar 21 20:56:37 CET 2013

Quoting Arran Cudbard-Bell <a.cudbardb at freeradius.org>:

> On 21 Mar 2013, at 13:26, Jouni Malinen <jkmalinen at gmail.com> wrote:
>> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell
>> <a.cudbardb at freeradius.org> wrote:
>>> The old HP switches used to convert the Reply-Message into an   
>>> EAP-Notification and send it after the EAP-Success or EAP-Failure.
>> This is not compliant with the EAP specification (EAP-Notification
>> needs to be sent prior to completion of an EAP authentication method).
>> Sending it after EAP-Success or EAP-Failure would look like an attempt
>> to initiate another authentication exchange.
> Their 802.1X implementation was pre RFC3579. In newer firmware   
> releases this has been fixed.
>>> It may be possible to send it before the EAP-Success/EAP-Failure   
>>> message for some EAP methods, but chances are not all supplicants   
>>> will like it, and most probably won't display anything.
>> EAP-Notification is not really supported in general and even the
>> specification does not really require displaying anything from this
>> message to the user.. There is also no way of authenticating this
>> information, so this would not be ideal for authorization failures.
> Agreed. But in the absence of a standards solution it might be   
> interesting to experiment and see how supplicants respond to this.

My RSA Windows EAP module sends EAP Notification messages under 4  
different error circumstances.   These are typically retry-able input  
problems. It was the default until the boffins that took over EAP for  
Windows 7 broke their code.   XP and Vista worked fine, they took the  
request and responded with a blank response.  No user visible message  
resulted.  Win7 didn't respond at all, which caused the protocol to  
break.  They patched it when I pointed out the problem.  But I flipped  
off the default, don't know if/when that was released.  There is a  
registry key that controls it.


> -Arran
> -
> List info/subscribe/unsubscribe? See   
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list