[Help] Is that possible to change the reject message that appears at the Windows Pop Up

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Mar 21 21:46:25 CET 2013 

On 21 Mar 2013, at 15:56, David Mitton <david at mitton.com> wrote:

> Quoting Arran Cudbard-Bell <a.cudbardb at freeradius.org>:
> 
>> 
>> On 21 Mar 2013, at 13:26, Jouni Malinen <jkmalinen at gmail.com> wrote:
>> 
>>> On Mon, Mar 18, 2013 at 8:42 PM, Arran Cudbard-Bell
>>> <a.cudbardb at freeradius.org> wrote:
>>>> The old HP switches used to convert the Reply-Message into an  EAP-Notification and send it after the EAP-Success or EAP-Failure.
>>> 
>>> This is not compliant with the EAP specification (EAP-Notification
>>> needs to be sent prior to completion of an EAP authentication method).
>>> Sending it after EAP-Success or EAP-Failure would look like an attempt
>>> to initiate another authentication exchange.
>> 
>> Their 802.1X implementation was pre RFC3579. In newer firmware  releases this has been fixed.
>> 
>>>> It may be possible to send it before the EAP-Success/EAP-Failure  message for some EAP methods, but chances are not all supplicants  will like it, and most probably won't display anything.
>>> 
>>> EAP-Notification is not really supported in general and even the
>>> specification does not really require displaying anything from this
>>> message to the user.. There is also no way of authenticating this
>>> information, so this would not be ideal for authorization failures.
>> 
>> Agreed. But in the absence of a standards solution it might be  interesting to experiment and see how supplicants respond to this.
>> 
> 
> My RSA Windows EAP module sends EAP Notification messages under 4 different error circumstances.   These are typically retry-able input problems. It was the default until the boffins that took over EAP for Windows 7 broke their code.   XP and Vista worked fine, they took the request and responded with a blank response.  No user visible message resulted.  Win7 didn't respond at all, which caused the protocol to break.  They patched it when I pointed out the problem.  But I flipped off the default, don't know if/when that was released.  There is a registry key that controls it.

Interesting. OSX does a similar thing, but it logs the notification, which can be very helpful if you're on the helpdesk and trying to diagnose issues.

I wonder if Windows also does the silent logging.

-Arran

More information about the Freeradius-Users mailing list