[Help] Is that possible to change the reject message that appears at the Windows Pop Up
a.cudbardb at freeradius.org
Thu Mar 21 21:46:25 CET 2013
On 21 Mar 2013, at 15:56, David Mitton <david at mitton.com> wrote:
> Quoting Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
>> On 21 Mar 2013, at 13:26, Jouni Malinen <jkmalinen at gmail.com> wrote:
>>> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell
>>> <a.cudbardb at freeradius.org> wrote:
>>>> The old HP switches used to convert the Reply-Message into an EAP-Notification and send it after the EAP-Success or EAP-Failure.
>>> This is not compliant with the EAP specification (EAP-Notification
>>> needs to be sent prior to completion of an EAP authentication method).
>>> Sending it after EAP-Success or EAP-Failure would look like an attempt
>>> to initiate another authentication exchange.
>> Their 802.1X implementation was pre RFC3579. In newer firmware releases this has been fixed.
>>>> It may be possible to send it before the EAP-Success/EAP-Failure message for some EAP methods, but chances are not all supplicants will like it, and most probably won't display anything.
>>> EAP-Notification is not really supported in general and even the
>>> specification does not really require displaying anything from this
>>> message to the user.. There is also no way of authenticating this
>>> information, so this would not be ideal for authorization failures.
>> Agreed. But in the absence of a standards solution it might be interesting to experiment and see how supplicants respond to this.
> My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances. These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code. XP and Vista worked fine, they took the request and responded with a blank response. No user visible message resulted. Win7 didn't respond at all, which caused the protocol to break. They patched it when I pointed out the problem. But I flipped off the default, don't know if/when that was released. There is a registry key that controls it.
Interesting. OSX does a similar thing, but it logs the notification, which can be very helpful if you're on the helpdesk and trying to diagnose issues.
I wonder if Windows also does the silent logging.
More information about the Freeradius-Users