Can RADIUS indicate a standardised reason for access rejection?

Brian Turnbow b.turnbow at twt.it
Mon Aug 22 10:10:27 UTC 2022


Hi,
 
> > Reason for asking: Most of our clients are macOS devices. When user
> changes the password server-side, next EAP-TTLS + PAP authentication
> attempts fails.
> > macOS displays very cryptic message about a connection problem (no
> prompt to enter the password).
> > Ideal behaviour would be client knowing the reason for authentication
> failure so it can react accordingly (prompt user for new set of credentials).

In a similar situation we took a different approach.
On authentication failure we override the response and send them into a dedicated vrf with a walled garden web page that says something like
Your session was not authenticated properly. Please check your login credentials and try again.
Works well for most users and cut down on tickets

Brian



More information about the Freeradius-Users mailing list