duckeo wrote:
It matches a DEFAULT line in users, but doesn't send the reply? It
You're misunderstanding how FreeRadius works when processing the request
I think. Broadly, it does this (the behaviour can be changed - see
doc/configureable_failover for details):
1a. For each entry in "authorize":
execute module
if reject: send reject and stop
else go to next module
1b. If Autz-Type has been set, repeat 1a for the matching Autz-Type
subsection of authorize
2. Execute exactly one section from "authenticate" to actually process
the request
I'm not entirely certain, but I think you're expecting that your:
DEFAULT Auth-Type := Reject
Reply-Message = "some text"
...will be used if/when the request is rejected, which is not so. The
entries in the users file are processed in order until one matches. If
that entry matched, it would immediately reject the request.
There is not AFAIK an easy way to set the Reply-Message in a reject
generated by the ldap module. It can almost certainly be done - see
doc/configureable_failover - but why bother.
Also, you're setting Auth-Type. With the exception of setting it to
Reject and some specialised cases, you do not usually want to do that.
See copious comments about such in the list archives. In your case, your
users file need only read:
DEFAULT Ldap-Group == "RadiusWirelessVPN"
Service-Type = Framed,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-IP-Netmask = 255.255.255.255,
DEFAULT Auth-Type := Reject
Reply-Message = "You are not in the VPN group"
continues to try to authenticate the user, and on the second time
fails to bind (due to incorrect credentials) and doesn't match the
line in Users:
Yes, because FreeRadius is long done with matching the users file by
that point.
rlm_ldap: Bind failed with invalid credentials
rlm_ldap: 80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
modcall[authenticate]: module "ldap" returns reject for request 2
modcall: group Auth-Type returns reject for request 2
auth: Failed to validate the user.
And instead sends back via radius (in an Access-Reject packet):
Reply-Message=80090308: LdapErr: DSID-0C090334, comment:
AcceptSecurityContext error, data 52e, vece
I agree returning this isn't terribly helpful (then again, it isn't a
terribly helpful error message from AD, but I've come to expect that).
If you really must change the text of this reply message, you could try
executing an attr_rewrite module in the post-auth section, REJECT
sub-section, like so (untested):
modules {
attr_rewrite aderrmsg {
attribute = Reply-Message
searchin = reply
searchfor = "^.*$"
replacewith = "password incorrect"
}
}
authorize {
..blah..
}
authenticate {
..blah..
}
post-auth {
Post-Auth-Type REJECT {
aderrmsg
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
