Can RADIUS indicate a standardised reason for access rejection?
Michael Schwartzkopff
ms at sys4.de
Thu Aug 18 08:42:49 UTC 2022
On 18.08.22 10:14, Michal Moravec wrote:
> Hi there,
>
> Imagine you use EAP-TTLS + PAP for 802.1X authentication.
> You have client which is able to authenticate.
> One day password changes or expires (server-side).
> Client attempts to authenticate using the old password.
> RADIUS server will reply with Access-Reject.
>
> Can RADIUS server add some standardised message/attribute to the message indicating the reason for the rejection?
> E.g. "reason: password expired", e.g. "reason: wrong password", etc.
> The key is the "standardised". I know I can provide any reply message but here I would need to reply with something the client and/or NAS expect and can react to accordingly.
>
> Reason for asking: Most of our clients are macOS devices. When user changes the password server-side, next EAP-TTLS + PAP authentication attempts fails.
> macOS displays very cryptic message about a connection problem (no prompt to enter the password).
> Ideal behaviour would be client knowing the reason for authentication failure so it can react accordingly (prompt user for new set of credentials).
>
> Best,
> Michal Moravec
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS can set the Reply-Message Attribute. Se you could set it to "Your
password expired. Please use the new one". But the question is, if the
MAC client will display this Reply-Message to the user. Test it.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
More information about the Freeradius-Users
mailing list