Can RADIUS indicate a standardised reason for access rejection?

Thu Aug 18 12:52:03 UTC 2022

On Aug 18, 2022, at 4:14 AM, Michal Moravec <michal.moravec at macadmin.cz> wrote:
> Imagine you use EAP-TTLS + PAP for 802.1X authentication. 
> You have client which is able to authenticate.
> One day password changes or expires (server-side). 
> Client attempts to authenticate using the old password.
> RADIUS server will reply with Access-Reject.
> 
> Can RADIUS server add some standardised message/attribute to the message indicating the reason for the rejection?

  In theory, yes.  In practice, no.

  RADIUS provides for Reply-Message, which is sent to the NAS, and then should be sent over a PPP link to the end user.  This doesn't work with EAP and Access Points.

  EAP provides for EAP Notification packets, which are sent from the Access Point to the supplicant (end user system).  Unfortunately, most supplicants treat this packet as a failure.  Worse, they never show anything to the end user.

> E.g. "reason: password expired", e.g. "reason: wrong password", etc.
> The key is the "standardised". I know I can provide any reply message but here I would need to reply with something the client and/or NAS expect and can react to accordingly.

  The client has to show the message to the user.  And the clients don't do this.

> Reason for asking: Most of our clients are macOS devices. When user changes the password server-side, next EAP-TTLS + PAP authentication attempts fails. 
> macOS displays very cryptic message about a connection problem (no prompt to enter the password).
> Ideal behaviour would be client knowing the reason for authentication failure so it can react accordingly (prompt user for new set of credentials).

  TLS has various alerts (certificate expired, etc).  So far as I can tell, the clients don't show those to the user either.

  It's like they all have a policy against showing any useful information to the user.

  Alan DeKok.