Can RADIUS indicate a standardised reason for access rejection?
Michal Moravec
michal.moravec at macadmin.cz
Thu Aug 18 08:14:28 UTC 2022
Hi there,
Imagine you use EAP-TTLS + PAP for 802.1X authentication.
You have client which is able to authenticate.
One day password changes or expires (server-side).
Client attempts to authenticate using the old password.
RADIUS server will reply with Access-Reject.
Can RADIUS server add some standardised message/attribute to the message indicating the reason for the rejection?
E.g. "reason: password expired", e.g. "reason: wrong password", etc.
The key is the "standardised". I know I can provide any reply message but here I would need to reply with something the client and/or NAS expect and can react to accordingly.
Reason for asking: Most of our clients are macOS devices. When user changes the password server-side, next EAP-TTLS + PAP authentication attempts fails.
macOS displays very cryptic message about a connection problem (no prompt to enter the password).
Ideal behaviour would be client knowing the reason for authentication failure so it can react accordingly (prompt user for new set of credentials).
Best,
Michal Moravec
More information about the Freeradius-Users
mailing list