RE: Access-Reject has no Reply-Message (2nd try)
> From: $BLnB<(B $B7z(B (B> Sent: Monday, 20 October 2003 6:35 PM (B (B> I want my freeradius server to send Access-Reject packet with Reply-Message (B> in it, (B> so that NAS can alert user when authentication fails. But, it's not (B> working so far. (B> When authentication succeeds, my freeradius server sends Access-Accept (B> packet (B> with Reply-Message in it. But when authentication fails, it sends Access (B> Reject packet (B> with no Reply-Message in it.. (B (B> So my question is why my freeradius doesn't include Reply-Message into (B> Access-Reject (B> packet, and how can I fix this problem? (B (B> ---users (B> [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (B> Service-Type = Framed-User, (B> Framed-Protocol = PPP, (B> Framed-IP-address = 192.168.200.1, (B> Framed-IP-Netmask = 255.255.255.0, (B> Session-Timeout = 30, (B> Reply-Message="111", (B> Reply-Message="222", (B> Reply-Message="333", (B> (B (BAs you've observed, this will only add a Reply-Message if the authentication (Bsucceeds. In the same way as it will only give an IP address or Session (BTimeout if it succeeds. (B (BAs for how to send a Reply-Message on failure, I dunno off hand. :-) (B (B-- (BPaul "TBBle" Hampson (BBubblesworth Pty Ltd (ABN: 51 095 284 361) (B[EMAIL PROTECTED] (B (BOn a sidewalk near Portland State (BUniversity someone wrote `Trust Jesus', and (Bsomeone else wrote `But Cut the Cards'. (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject has no Reply-Message (2nd try)
(BSorry, this may annoy some of you. (BSome people pointed out that I didnt put enough information in my last (Bmail, so I am (Bsending this mail again with informations required in FAQ. (B (BI want my freeradius server to send Access-Reject packet with Reply-Message (Bin it, (Bso that NAS can alert user when authentication fails. But, it's not (Bworking so far. (BWhen authentication succeeds, my freeradius server sends Access-Accept (Bpacket (Bwith Reply-Message in it. But when authentication fails, it sends Access (BReject packet (Bwith no Reply-Message in it.. (B (BSo my question is why my freeradius doesn't include Reply-Message into (BAccess-Reject (B packet, and how can I fix this problem? (B (BAttached logs are: (B1)relevant portion of users (B2)debugging output of 'radiusd -X' (B (I have send 2 access-request messages after radiusd boots up, one with (Bcorrect password (B and one with wrong password.) (B3)debuggin output of 'radtest' (B4)version of Linux and radiusd (B (B (B---users (B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (BService-Type = Framed-User, (BFramed-Protocol = PPP, (BFramed-IP-address = 192.168.200.1, (BFramed-IP-Netmask = 255.255.255.0, (BSession-Timeout = 30, (BReply-Message="111", (BReply-Message="222", (BReply-Message="333", (B (B (B (B (B (Bradius -X- (B[EMAIL PROTECTED] raddb]# (B[EMAIL PROTECTED] raddb]# radiusd -X (BStarting - reading configuration files ... (Breread_config: reading radiusd.conf (BConfig: including file: /etc/raddb/proxy.conf (BConfig: including file: /etc/raddb/clients.conf (BConfig: including file: /etc/raddb/snmp.conf (BConfig: including file: /etc/raddb/sql.conf (B main: prefix = "/usr" (B main: localstatedir = "/var" (B main: logdir = "/var/log/radius" (B main: libdir = "/usr/lib" (B main: radacctdir = "/var/log/radius/radacct" (B main: hostname_lookups = no (Bread_config_files: reading dictionary (Bread_config_files: reading clients (Bread_config_files: reading realms (Bread_config_files: reading naslist (B main: max_request_time = 30 (B main: cleanup_delay = 5 (B main: max_requests = 1024 (B main: delete_blocked_requests = 0 (B main: port = 1645 (B main: allow_core_dumps = no (B main: log_stripped_names = no (B main: log_auth = no (B main: log_auth_badpass = no (B main: log_auth_goodpass = no (B main: pidfile = "/var/run/radiusd.pid" (B main: user = "root" (B main: group = "root" (B main: usercollide = no (B main: lower_user = "no" (B main: lower_pass = "no" (B main: nospace_user = "no" (B main: nospace_pass = "no" (B main: proxy_requests = yes (B proxy: retry_delay = 5 (B proxy: retry_count = 3 (B proxy: synchronous = no (B proxy: default_fallback = yes (B proxy: dead_time = 120 (B security: max_attributes = 200 (B security: reject_delay = 0 (B main: debug_level = 0 (Bread_config_files: entering modules setup (BModule: Library search path is /usr/lib (BModule: Loaded System (B unix: cache = no (B unix: passwd = "/etc/passwd" (B unix: shadow = "(null)" (B unix: group = "/etc/group" (B unix: radwtmp = "/var/log/radius/radwtmp" (B unix: usegroup = no (B unix: cache_reload = 600 (BModule: Instantiated unix (unix) (BModule: Loaded preprocess (B preprocess: huntgroups = "/etc/raddb/huntgroups" (B preprocess: hints = "/etc/raddb/hints" (B preprocess: with_ascend_hack = no (B preprocess: ascend_channels_per_line = 23 (B preprocess: with_ntdomain_hack = no (B preprocess: with_specialix_jetstream_hack = no (B preprocess: with_cisco_vsa_hack = no (BModule: Instantiated preprocess (preprocess) (BModule: Loaded realm (B realm: format = "suffix" (B realm: delimiter = "@" (BModule: Instantiated realm (suffix) (BModule: Loaded files (B files: usersfile = "/etc/raddb/users" (B files: acctusersfile = "/etc/raddb/acct_users" (B files: compat = "no" (BModule: Instantiated files (files) (BModule: Loaded detail (B detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail" (B detail: detailperm = 384 (B detail: dirperm = 493 (BModule: Instantiated detail (detail) (BModule: Loaded radutmp (B radutmp: filename = "/var/log/radius/radutmp" (B radutmp: username = "%{User-Name}" (B radutmp: perm = 384 (B radutmp: callerid = yes (BModule: Instantiated radutmp (radutmp) (BListening on IP address *, ports 1645/udp and 1646/udp, with proxy on (B1647/udp. (BReady to process requests. (B /*authentication request with (Bcorrect password is received*/ (Brad_recv: Access-Request packet from host 10.151.0.2:21645, id=77, (Blength=85 (BFramed-Protocol = PPP (BUser-Name = "[EMAIL PROTECTED]" (B
Re: Access-Reject has no Reply-Message
=?iso-2022-jp?B?GyRCTG5CPBsoQiAbJEI3ehsoQg==?= <[EMAIL PROTECTED]> wrote: > According to RFC, Access-Reject packet MAY contain Reply-Message. > I have searched this ML, and found out that freeradius normally contain > Reply-Message in Access-Reject packet if Reply-Message is configured. Have you configured a Reply-Message? > So my question is: > Why my freeradius doesn't put Reply-Message into Access-Reject packet, and > how can I fix this problem? > > I have attached some logs below. You attached 'radiusd.conf', not the output of 'radiusd -X', as requested in the FAQ and README's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject has no Reply-Message
- Original Message - (BFrom: "$BLnB<(B $B7z(B" <[EMAIL PROTECTED]> (B> I want my freeradius to send Access-Reject packet with Reply-Message in (Bit, (B> (B> so that NAS can alert user in some fancy way when authentication fails. (B> But, it's not working so far. (B> When authentication succeeds, my freeradius sends Access-Accept packet (B> with Reply-Message in it, but this is not the way I want it to be. (B> (B> According to RFC, Access-Reject packet MAY contain Reply-Message. (B> I have searched this ML, and found out that freeradius normally contain (B> Reply-Message in Access-Reject packet if Reply-Message is configured. (B> (B> So my question is: (B> Why my freeradius doesn't put Reply-Message into Access-Reject packet, (Band (B> how can I fix this problem? (B> (B> I have attached some logs below. (B> I really need help. (B> Any information would be greatly appreciated. (B (BI have sent a patch for this, but probably it wasn't accepted. (BMaybe you now a better way to patch, so that it's accepted? (B (BHere's my patch, which works fine for my needs: (B--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200 (B+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200 (B@@ -805,15 +805,18 @@ (B * had a non-zero exit status. (B */ (Bif (umsg[0] == '\0') { (B-user_msg = "\r\nAccess denied (external check failed)."; (B+/* Don't tell NAS that auth failed by external check */ (B+user_msg = NULL; (B} else { (B user_msg = &umsg[0]; (B} (B (Brequest->reply->code = PW_AUTHENTICATION_REJECT; (B- tmp = pairmake("Reply-Message", user_msg, T_OP_SET); (B- (B- pairadd(&request->reply->vps, tmp); (B+ /* Only add reply-message when one is available */ (B+ if (user_msg != NULL) { (B+tmp = pairmake("Reply-Message", user_msg, T_OP_SET); (B+pairadd(&request->reply->vps, tmp); (B+ } (Brad_authlog("Login incorrect (external check failed)", (B request, 0); (B (B (B (BThor. (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject has no Reply-Message
(BI want my freeradius to send Access-Reject packet with Reply-Message in it, (B (Bso that NAS can alert user in some fancy way when authentication fails. (BBut, it's not working so far. (BWhen authentication succeeds, my freeradius sends Access-Accept packet (Bwith Reply-Message in it, but this is not the way I want it to be. (B (BAccording to RFC, Access-Reject packet MAY contain Reply-Message. (BI have searched this ML, and found out that freeradius normally contain (BReply-Message in Access-Reject packet if Reply-Message is configured. (B (BSo my question is: (B Why my freeradius doesn't put Reply-Message into Access-Reject packet, and (Bhow can I fix this problem? (B (BI have attached some logs below. (BI really need help. (BAny information would be greatly appreciated. (B (B (BRegards, (BTakeru (B (B--- (B[version] (B[EMAIL PROTECTED] raddb]# radiusd -v (Bradiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on (BApr 4 (B 2002 at 04:33:11 (B (B (B[users] (B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (BService-Type = Framed-User, (BFramed-Protocol = PPP, (BFramed-IP-address = 192.168.200.1, (BFramed-IP-Netmask = 255.255.255.0, (BSession-Timeout = 30, (BReply-Message="111", (B (B (B[radius.conf] (B[EMAIL PROTECTED] raddb]# more radiusd.conf (B## (B## radiusd.conf -- FreeRADIUS server configuration file. (B## (B## http://www.freeradius.org/ (B## $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $ (B## (B (B# The location of other config files and (B# logfiles are declared in this file (B# (B# Also general configuration for modules can be done (B# in this file, it is exported through the API to (B# modules that ask for it. (B# (B# The configuration variables defined here are of the form ${foo} (B# They are local to this file, and do not change from request to (B# request. (B# (B# The per-request variables are of the form %{Attribute-Name}, and (B# are taken from the values of the attribute in the incoming (B# request. See 'doc/variables.txt' for more information. (B (B# Stuff from autoconf (Bprefix = /usr (Bexec_prefix = /usr (Bsysconfdir = /etc (Blocalstatedir = /var (Bsbindir = /usr/sbin (Blogdir = ${localstatedir}/log/radius (Braddbdir = ${sysconfdir}/raddb (Bradacctdir = ${logdir}/radacct (B (B# Location of config and logfiles. (Bconfdir = ${raddbdir} (Brun_dir = ${localstatedir}/run (B (B# (B# libdir: Where to find the rlm_* modules. (B# (B# This should be automatically set at configuration time. (B# (B# If the server builds and installs, but fails at execution time (B# with an 'undefined symbol' error, then you can use the libdir (B# directive to work around the problem. (B# (B# The cause is usually that a library has been installed on your (B# system in a place where the dynamic linker CANNOT find it. When (B# executing as root (or another user), your personal environment MAY (B# be set up to allow the dynamic linker to find the library. When (B# executing as a daemon, FreeRADIUS MAY NOT have the same (B# personalized configuration. (B# (B# To work around the problem, find out which library contains that (Bsymbol, (B# and add the directory containing that library to the end of 'libdir', (B# with a colon separating the directory names. NO spaces are allowed. (B# (B# e.g. libdir = /usr/local/lib:/opt/package/lib (B# (B# If that does not work, then you can re-configure and re-build the (B# server to NOT use shared libraries, via: (B# (B# ./configure --disable-shared (B# make (B# make install (B# (Blibdir = /usr/lib (B (B# pidfile: Where to place the PID of the RADIUS server. (B# (B# The server may be signalled while it's running by using this (B# file. (B# (B# This file is written when ONLY running in daemon mode. (B# (B# e.g.: kill -HUP `cat /var/run/radiusd.pid` (B# (Bpidfile = ${run_dir}/radiusd.pid (B (B (B# user/group: The name (or #number) of the user/group to run radiusd as. (B# (B# We STRONGLY recommend that you run the server with as few permissions (B# as possible. That is, if you're not using shadow passwords, the (B# user and group items below should be set to 'nobody'. (B# (B#On SCO (ODT 3) use "user = nouser" and "group = nogroup". (B# (B# NOTE that some kernels refuse to setgid(group) (B# when the value of (unsigned)group is above 6; (B# don't use group nobody on these systems! (B# (B# On systems with shadow passwords, you might have to set 'group = shadow' (B# for the server to be able to read the shadow password file. If you can (B# authenticate users while in debug mode, but not in normal us