I think this issue has come up on this list before. Someone posted this solution. I am pasting it down here. You can search the list for more information about it too.
Here we go Alejandro Galue wrote: > To reject users: > > Reply-Message := 'You can not login now' > And the exit code is 1 > > PROBLEM: > > BUT, Reply-Message on Access-Reject is not modified. > The Reject Message does not contain any attributes. According to me it's a bug and I have been submitted patches several times. I think it's not being accepted because I don't know how to send text mail with real tabs :( Here's my patch that solves this for 1.0.0: --- src/main/auth.c.orig 2004-08-10 23:13:25.000000000 +0000 +++ src/main/auth.c 2004-08-10 23:14:18.000000000 +0000 @@ -886,18 +886,15 @@ * fork/exec errors, or >0 if the exec'ed program * had a non-zero exit status. */ - if (umsg[0] == '\0') { - user_msg = "\r\nAccess denied (external check failed)."; - } else { - user_msg = &umsg[0]; + if (r < 0) { + user_msg = "Access denied (external check failed)"; + tmp = pairmake("Reply-Message", user_msg, T_OP_SET); + pairadd(&request->reply->vps, tmp); } request->reply->code = PW_AUTHENTICATION_REJECT; - tmp = pairmake("Reply-Message", user_msg, T_OP_SET); - - pairadd(&request->reply->vps, tmp); rad_authlog("Login incorrect (external check failed)", - request, 0); + request, 1); return RLM_MODULE_REJECT; } -- Regards, Thor Spruyt E: [EMAIL PROTECTED] W: www.thor-spruyt.com M: +32 (0)475 67 22 65 Thanks and I hope that helps. --- Kostas Zorbadelos <[EMAIL PROTECTED]> wrote: > In a previous thread I described my scenario: > > >My scenario is simple. When I receive an > authentication request for a > >user, I want to run an external program and if > everything goes OK, > >return access-accept with some attributes, > otherwise I want to return > >access-reject with other attributes. > > This scenario is accomplished easily using the > Exec-Program-Wait > attribute in users file. > > When I try to accomplish the same thing with > rlm_exec, as Doug Hardie > and Alan suggested, I use configurable failover: > > radiusd.conf: > > exec callerid { > wait=yes > program=/space/radius/callerid.sh > input_pairs = request > output_pairs = reply > packet_type = Access-Request > } > > in users I have > > CLIDACTIVATE Auth-Type := Local, > User-Password=="AAA", Autz-Type := CLID > > and in the authorize section of radiusd.conf > > Autz-Type CLID{ > callerid { > fail=reject > } > } > > In this case when the external script returns a non > zero exit code or > fails I get an Access-Reject. However I cannot put > any attributes > inside this reject packet. If my script outputs > pairs and exits with a > non zero status, the pairs are not kept in the > reject packet sent back > to the client. So my questions are: > > - is it possible to have attributes in reject > packets in rlm_exec > setups (something I can do with > Exec-Program-Wait)? > - is Exec-Program-Wait deprecated and probably > removed in future > versions? If so, how can I accomplish my scenario? > > I need to make a decision for an imminent project. > > Thanks in advance > > Kostas > > -- > Kostas Zorbadelos > Systems Developer, Otenet SA > mailto: [EMAIL PROTECTED] > > Out there in the darkness, out there in the night > out there in the starlight, one soul burns > brighter > than a thousand suns. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html