RE: Access-Reject has no Reply-Message (2nd try)

[Paul Hampson]

> From: $BLnB<(B $B7z(B
(B> Sent: Monday, 20 October 2003 6:35 PM
(B
(B> I want my freeradius server to send Access-Reject packet with Reply-Message 
(B> in it, 
(B> so that NAS can alert user when authentication fails.  But, it's not 
(B> working so far.
(B> When authentication succeeds, my freeradius server sends Access-Accept 
(B> packet
(B> with Reply-Message in it.  But when authentication fails, it sends Access 
(B> Reject packet
(B> with no Reply-Message in it..
(B
(B> So my question is why my freeradius doesn't include Reply-Message into 
(B> Access-Reject
(B>  packet, and how can I fix this problem?
(B
(B> ---users
(B> [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(B> Service-Type = Framed-User,
(B> Framed-Protocol = PPP,
(B> Framed-IP-address = 192.168.200.1,
(B> Framed-IP-Netmask = 255.255.255.0,
(B> Session-Timeout = 30,
(B>         Reply-Message="111",
(B> Reply-Message="222",
(B>     Reply-Message="333",
(B> 
(B
(BAs you've observed, this will only add a Reply-Message if the authentication
(Bsucceeds. In the same way as it will only give an IP address or Session
(BTimeout if it succeeds.
(B
(BAs for how to send a Reply-Message on failure, I dunno off hand. :-)
(B
(B--
(BPaul "TBBle" Hampson
(BBubblesworth Pty Ltd (ABN: 51 095 284 361)
(B[EMAIL PROTECTED]
(B
(BOn a sidewalk near Portland State
(BUniversity someone wrote `Trust Jesus', and
(Bsomeone else wrote `But Cut the Cards'.
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Reject has no Reply-Message (2nd try)

[$BLnB<(B $B7z(B]

(BSorry, this may annoy some of you.
(BSome people pointed out that I didnt put enough information in my last 
(Bmail, so I am 
(Bsending this mail again with informations required in FAQ.
(B
(BI want my freeradius server to send Access-Reject packet with Reply-Message 
(Bin it, 
(Bso that NAS can alert user when authentication fails.  But, it's not 
(Bworking so far.
(BWhen authentication succeeds, my freeradius server sends Access-Accept 
(Bpacket
(Bwith Reply-Message in it.  But when authentication fails, it sends Access 
(BReject packet
(Bwith no Reply-Message in it..
(B
(BSo my question is why my freeradius doesn't include Reply-Message into 
(BAccess-Reject
(B packet, and how can I fix this problem?
(B
(BAttached logs are:
(B1)relevant portion of users
(B2)debugging output of 'radiusd -X'
(B   (I have send 2 access-request messages after radiusd boots up, one with 
(Bcorrect password
(B and one with wrong password.)
(B3)debuggin output of 'radtest'
(B4)version of Linux and radiusd
(B
(B
(B---users
(B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(BService-Type = Framed-User,
(BFramed-Protocol = PPP,
(BFramed-IP-address = 192.168.200.1,
(BFramed-IP-Netmask = 255.255.255.0,
(BSession-Timeout = 30,
(BReply-Message="1111111",
(BReply-Message="2222222",
(BReply-Message="333",
(B
(B
(B
(B
(B
(Bradius -X-
(B[EMAIL PROTECTED] raddb]#
(B[EMAIL PROTECTED] raddb]# radiusd -X
(BStarting - reading configuration files ...
(Breread_config:  reading radiusd.conf
(BConfig:   including file: /etc/raddb/proxy.conf
(BConfig:   including file: /etc/raddb/clients.conf
(BConfig:   including file: /etc/raddb/snmp.conf
(BConfig:   including file: /etc/raddb/sql.conf
(B main: prefix = "/usr"
(B main: localstatedir = "/var"
(B main: logdir = "/var/log/radius"
(B main: libdir = "/usr/lib"
(B main: radacctdir = "/var/log/radius/radacct"
(B main: hostname_lookups = no
(Bread_config_files:  reading dictionary
(Bread_config_files:  reading clients
(Bread_config_files:  reading realms
(Bread_config_files:  reading naslist
(B main: max_request_time = 30
(B main: cleanup_delay = 5
(B main: max_requests = 1024
(B main: delete_blocked_requests = 0
(B main: port = 1645
(B main: allow_core_dumps = no
(B main: log_stripped_names = no
(B main: log_auth = no
(B main: log_auth_badpass = no
(B main: log_auth_goodpass = no
(B main: pidfile = "/var/run/radiusd.pid"
(B main: user = "root"
(B main: group = "root"
(B main: usercollide = no
(B main: lower_user = "no"
(B main: lower_pass = "no"
(B main: nospace_user = "no"
(B main: nospace_pass = "no"
(B main: proxy_requests = yes
(B proxy: retry_delay = 5
(B proxy: retry_count = 3
(B proxy: synchronous = no
(B proxy: default_fallback = yes
(B proxy: dead_time = 120
(B security: max_attributes = 200
(B security: reject_delay = 0
(B main: debug_level = 0
(Bread_config_files:  entering modules setup
(BModule: Library search path is /usr/lib
(BModule: Loaded System
(B unix: cache = no
(B unix: passwd = "/etc/passwd"
(B unix: shadow = "(null)"
(B unix: group = "/etc/group"
(B unix: radwtmp = "/var/log/radius/radwtmp"
(B unix: usegroup = no
(B unix: cache_reload = 600
(BModule: Instantiated unix (unix)
(BModule: Loaded preprocess
(B preprocess: huntgroups = "/etc/raddb/huntgroups"
(B preprocess: hints = "/etc/raddb/hints"
(B preprocess: with_ascend_hack = no
(B preprocess: ascend_channels_per_line = 23
(B preprocess: with_ntdomain_hack = no
(B preprocess: with_specialix_jetstream_hack = no
(B preprocess: with_cisco_vsa_hack = no
(BModule: Instantiated preprocess (preprocess)
(BModule: Loaded realm
(B realm: format = "suffix"
(B realm: delimiter = "@"
(BModule: Instantiated realm (suffix)
(BModule: Loaded files
(B files: usersfile = "/etc/raddb/users"
(B files: acctusersfile = "/etc/raddb/acct_users"
(B files: compat = "no"
(BModule: Instantiated files (files)
(BModule: Loaded detail
(B detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail"
(B detail: detailperm = 384
(B detail: dirperm = 493
(BModule: Instantiated detail (detail)
(BModule: Loaded radutmp
(B radutmp: filename = "/var/log/radius/radutmp"
(B radutmp: username = "%{User-Name}"
(B radutmp: perm = 384
(B radutmp: callerid = yes
(BModule: Instantiated radutmp (radutmp)
(BListening on IP address *, ports 1645/udp and 1646/udp, w

Re: Access-Reject has no Reply-Message

[Alan DeKok]

=?iso-2022-jp?B?GyRCTG5CPBsoQiAbJEI3ehsoQg==?= <[EMAIL PROTECTED]> wrote:
> According to RFC, Access-Reject packet MAY contain Reply-Message.
> I have searched this ML, and found out that freeradius normally contain
> Reply-Message in Access-Reject packet if Reply-Message is configured.

  Have you configured a Reply-Message?

> So my question is:
>  Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
> how can I fix this problem?
> 
> I have attached some logs below.

  You attached 'radiusd.conf', not the output of 'radiusd -X', as
requested in the FAQ and README's.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject has no Reply-Message

[Thor Spruyt]

- Original Message - 
(BFrom: "$BLnB<(B $B7z(B" <[EMAIL PROTECTED]>
(B> I want my freeradius to send Access-Reject packet with Reply-Message in
(Bit,
(B>
(B> so that NAS can alert user in some fancy way when authentication fails.
(B> But, it's not working so far.
(B> When authentication succeeds, my freeradius sends Access-Accept packet
(B> with Reply-Message in it, but this is not the way I want it to be.
(B>
(B> According to RFC, Access-Reject packet MAY contain Reply-Message.
(B> I have searched this ML, and found out that freeradius normally contain
(B> Reply-Message in Access-Reject packet if Reply-Message is configured.
(B>
(B> So my question is:
(B>  Why my freeradius doesn't put Reply-Message into Access-Reject packet,
(Band
(B> how can I fix this problem?
(B>
(B> I have attached some logs below.
(B> I really need help.
(B> Any information would be greatly appreciated.
(B
(BI have sent a patch for this, but probably it wasn't accepted.
(BMaybe you now a better way to patch, so that it's accepted?
(B
(BHere's my patch, which works fine for my needs:
(B--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200
(B+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200
(B@@ -805,15 +805,18 @@
(B * had a non-zero exit status.
(B */
(Bif (umsg[0] == '\0') {
(B-user_msg = "\r\nAccess denied (external check failed).";
(B+/* Don't tell NAS that auth failed by external check */
(B+user_msg = NULL;
(B} else {
(B user_msg = &umsg[0];
(B}
(B
(Brequest->reply->code = PW_AUTHENTICATION_REJECT;
(B-   tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
(B-
(B-   pairadd(&request->reply->vps, tmp);
(B+   /* Only add reply-message when one is available */
(B+   if (user_msg != NULL) {
(B+tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
(B+pairadd(&request->reply->vps, tmp);
(B+   }
(Brad_authlog("Login incorrect (external check failed)",
(B  request, 0);
(B
(B
(B
(BThor.
(B
(B
(B- 
(BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Access-Reject has no Reply-Message

[$BLnB<(B $B7z(B]

(BI want my freeradius to send Access-Reject packet with Reply-Message in it, 
(B
(Bso that NAS can alert user in some fancy way when authentication fails.
(BBut, it's not working so far.
(BWhen authentication succeeds, my freeradius sends Access-Accept packet
(Bwith Reply-Message in it, but this is not the way I want it to be.
(B
(BAccording to RFC, Access-Reject packet MAY contain Reply-Message.
(BI have searched this ML, and found out that freeradius normally contain
(BReply-Message in Access-Reject packet if Reply-Message is configured.
(B
(BSo my question is:
(B Why my freeradius doesn't put Reply-Message into Access-Reject packet, and
(Bhow can I fix this problem?
(B
(BI have attached some logs below.
(BI really need help.
(BAny information would be greatly appreciated.
(B
(B
(BRegards,
(BTakeru
(B
(B---
(B[version]
(B[EMAIL PROTECTED] raddb]# radiusd -v
(Bradiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on 
(BApr  4
(B 2002 at 04:33:11
(B
(B
(B[users]
(B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret"
(BService-Type = Framed-User,
(BFramed-Protocol = PPP,
(BFramed-IP-address = 192.168.200.1,
(BFramed-IP-Netmask = 255.255.255.0,
(BSession-Timeout = 30,
(B        Reply-Message="111",
(B
(B
(B[radius.conf]
(B[EMAIL PROTECTED] raddb]# more radiusd.conf
(B##
(B## radiusd.conf -- FreeRADIUS server configuration file.
(B##
(B##  http://www.freeradius.org/
(B##  $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $
(B##
(B
(B#   The location of other config files and
(B#   logfiles are declared in this file
(B#
(B#   Also general configuration for modules can be done
(B#   in this file, it is exported through the API to
(B#   modules that ask for it.
(B#
(B#   The configuration variables defined here are of the form ${foo}
(B#   They are local to this file, and do not change from request to
(B#   request.
(B#
(B#   The per-request variables are of the form %{Attribute-Name}, and
(B#   are taken from the values of the attribute in the incoming
(B#   request.  See 'doc/variables.txt' for more information.
(B
(B# Stuff from autoconf
(Bprefix = /usr
(Bexec_prefix = /usr
(Bsysconfdir = /etc
(Blocalstatedir = /var
(Bsbindir = /usr/sbin
(Blogdir = ${localstatedir}/log/radius
(Braddbdir = ${sysconfdir}/raddb
(Bradacctdir = ${logdir}/radacct
(B
(B#  Location of config and logfiles.
(Bconfdir = ${raddbdir}
(Brun_dir = ${localstatedir}/run
(B
(B#
(B# libdir: Where to find the rlm_* modules.
(B#
(B#   This should be automatically set at configuration time.
(B#
(B#   If the server builds and installs, but fails at execution time
(B#   with an 'undefined symbol' error, then you can use the libdir
(B#   directive to work around the problem.
(B#
(B#   The cause is usually that a library has been installed on your
(B#   system in a place where the dynamic linker CANNOT find it.  When
(B#   executing as root (or another user), your personal environment MAY
(B#   be set up to allow the dynamic linker to find the library.  When
(B#   executing as a daemon, FreeRADIUS MAY NOT have the same
(B#   personalized configuration.
(B#
(B#   To work around the problem, find out which library contains that 
(Bsymbol,
(B#   and add the directory containing that library to the end of 'libdir',
(B#   with a colon separating the directory names.  NO spaces are allowed.
(B#
(B#   e.g. libdir = /usr/local/lib:/opt/package/lib
(B#
(B#   If that does not work, then you can re-configure and re-build the
(B#   server to NOT use shared libraries, via:
(B#
(B#   ./configure --disable-shared
(B#   make
(B#   make install
(B#
(Blibdir = /usr/lib
(B
(B#  pidfile: Where to place the PID of the RADIUS server.
(B#
(B#  The server may be signalled while it's running by using this
(B#  file.
(B#
(B#  This file is written when ONLY running in daemon mode.
(B#
(B#  e.g.:  kill -HUP `cat /var/run/radiusd.pid`
(B#
(Bpidfile = ${run_dir}/radiusd.pid
(B
(B
(B# user/group: The name (or #number) of the user/group to run radiusd as.
(B#
(B#   We STRONGLY recommend that you run the server with as few permissions
(B#   as possible.  That is, if you're not using shadow passwords, the
(B#   user and group items below should be set to 'nobody'.
(B#
(B#On SCO (ODT 3) use "user = nouser" and "group = nogroup".
(B#
(B#  NOTE that some kernels refuse to setgid(group)
(B#  when the value of (unsigned)group is above 6;
(B#  don't use group nobody on these systems!
(B#
(B#  On systems with shadow passwords, you might have to set 'group = shadow'
(B#  for the server to be

Re: Reply-Message from external authorization doesn't work

[Thor Spruyt]

- Original Message - 
From: "Paul Hampson" <[EMAIL PROTECTED]>
> > From: Thor Spruyt
> > Sent: Monday, 1 September 2003 11:29 PM
>
> > - Original Message - 
> > From: <[EMAIL PROTECTED]>
> > > Hi.
> > > I'm using FreeRadius 0.9.0 on RedHat Linux 9.
> > > I'm using external program for authorizing users. When authorization
is
> > not
> > > allowed, I'd like to inform my user about reason of failure so I'm
> > > returning Reply-Message:="Some reason" in output from my program.
> > > But, Free Radius always returns "external check failed".
> >
> > The auth.c code always adds a reply-message attribute to the Auth-Reject
> > when the external program returns something else than 0.
> > I have patched the source code so it doesn't do this anymore.
>
> Why? I preferred the solution where it added the message, unless
> another Reply-Message had already been set. Is there some reason
> you don't want the Reply-Message set at all in this curcumstance?

I noticed that even though my program was giving a Reply-Message, auth.c was
still adding its own Reply-Message. In the Auth-Reject packet, there were
two Reply-Message attributes, 1 from the External script and 1 added by from
auth.c and my NAS was only interpreting the latter.
So, since my program always returns a Reply-Message and I'm not that good in
C programming, the best solution for me was to comment out the code that
added the unneeded Reply-Message.

> I guess I can see that you may not want people to know your
> RADIUS server's on the blink...

Indeed. Or even knowing that there's an external program executed.

> Given the discussion about external programs returning 0 for
> ACCEPT, and anything else being reject (with error message)...

I don't think returning non-zero is always an error, since the script might
decide to deny access.

> Would it be better to only add the message if we get a -1
> back from the exec call, and let the script take care of it
> if we get a >0 and hence reject the call?
>
> If the script fails (as opposed to rejects the request), will
> it return anything other than -1?

Maybe the best thing to do is make it configurable in radiusd.conf, sort of
a default Reply-Message when the external program didn't supply one.
Also, I would make auth.c aware of the difference between an error and a
Reject by the external program. I don't know enough about exit codes to
decide which exit code should mean a Reject and which should indicate an
error.

> Alternatively, convert to rlm_exec. Cases where it can't
> match Exec-Program{,-Wait} are probably interesting to the
> developers, since rlm_exec is (apparently) intended to replace
> Exec-Program{,-Wait}.

I wouldn't replace Exec-Program{,-Wait} with rlm_exec, since
Exec-Program{,-Wait} has certain advantages over rlm_exec, but I'm certainly
looking at the option.

This whole thing is just a minor issue for me, but I think that *not* having
to patch the source code is better :)

Regards,

Thor.




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Reply-Message from external authorization doesn't work

[Paul Hampson]

> From: Thor Spruyt
> Sent: Monday, 1 September 2003 11:29 PM

> - Original Message - 
> From: <[EMAIL PROTECTED]>
> > Hi.
> > I'm using FreeRadius 0.9.0 on RedHat Linux 9.
> > I'm using external program for authorizing users. When authorization is
> not
> > allowed, I'd like to inform my user about reason of failure so I'm
> > returning Reply-Message:="Some reason" in output from my program.
> > But, Free Radius always returns "external check failed".
> 
> The auth.c code always adds a reply-message attribute to the Auth-Reject
> when the external program returns something else than 0.
> I have patched the source code so it doesn't do this anymore.

Why? I preferred the solution where it added the message, unless
another Reply-Message had already been set. Is there some reason
you don't want the Reply-Message set at all in this curcumstance?

I guess I can see that you may not want people to know your
RADIUS server's on the blink...

Given the discussion about external programs returning 0 for
ACCEPT, and anything else being reject (with error message)...

Would it be better to only add the message if we get a -1
back from the exec call, and let the script take care of it
if we get a >0 and hence reject the call?

If the script fails (as opposed to rejects the request), will
it return anything other than -1?

Alternatively, convert to rlm_exec. Cases where it can't
match Exec-Program{,-Wait} are probably interesting to the
developers, since rlm_exec is (apparently) intended to replace
Exec-Program{,-Wait}.

--
=
Paul "TBBle" Hampson
Bubblesworth Pty Ltd (ABN: 51 095 284 361)
[EMAIL PROTECTED]

This is a one line proof...if we start
sufficiently far to the left.
-- Cambridge University Math Department
-
Random signature generator 3.0 by Paul "TBBle" Hampson
=


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message from external authorization doesn't work

[Thor Spruyt]

- Original Message - 
From: <[EMAIL PROTECTED]>
> Hi.
> I'm using FreeRadius 0.9.0 on RedHat Linux 9.
> I'm using external program for authorizing users. When authorization is
not
> allowed, I'd like to inform my user about reason of failure so I'm
> returning Reply-Message:="Some reason" in output from my program.
> But, Free Radius always returns "external check failed".

The auth.c code always adds a reply-message attribute to the Auth-Reject
when the external program returns something else than 0.
I have patched the source code so it doesn't do this anymore.

Here's the patch:
--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200
+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200
@@ -805,15 +805,18 @@
 * had a non-zero exit status.
 */
if (umsg[0] == '\0') {
-user_msg = "\r\nAccess denied (external check failed).";
+/* Don't tell NAS that auth failed by external check */
+user_msg = NULL;
} else {
 user_msg = &umsg[0];
}

request->reply->code = PW_AUTHENTICATION_REJECT;
-   tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
-
-   pairadd(&request->reply->vps, tmp);
+   /* Only add reply-message when one is available */
+   if (user_msg != NULL) {
+tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
+pairadd(&request->reply->vps, tmp);
+   }
rad_authlog("Login incorrect (external check failed)",
  request, 0);

You also might want to following patch, which gets rid of the 'waiting for
semaphore' warning:
--- src/main/threads.c.orig 2003-08-29 13:53:41.0 +0200
+++ src/main/threads.c 2003-08-29 13:54:22.0 +0200
@@ -185,7 +185,12 @@
*/
   DEBUG2("Thread %d waiting to be assigned a request",
  self->thread_num);
+ re_wait:
   if (sem_wait(&self->semaphore) != 0) {
+   /* Go back to waiting if ok */
+   if (errno == EINTR) {
+goto re_wait;
+   }
radlog(L_ERR, "Thread %d failed waiting for semaphore: %s: Exiting\n",
   self->thread_num, strerror(errno));
break;


Regards,
Thor.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply-Message from external authorization doesn't work

[Michal_Hobot]

Hi.
I'm using FreeRadius 0.9.0 on RedHat Linux 9.
I'm using external program for authorizing users. When authorization is not
allowed, I'd like to inform my user about reason of failure so I'm
returning Reply-Message:="Some reason" in output from my program.
But, Free Radius always returns "external check failed".

When I let user in, I send other attributes and it work, so my method of
returning attributes seems to be OK.

So, what am I doing wrong?

Cheers,
Michal Hobot


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply-Message added by auth.c even when already there

[Thor Spruyt]

Hi,

Have a look at following code:

if (exec_program && exec_wait) {
r = radius_exec_program(exec_program, request,
exec_wait,
umsg, sizeof(umsg),
request->packet->vps, &tmp);
free(exec_program);
exec_program = NULL;

/*
 *  Always add the value-pairs to the reply.
 */
pairmove(&request->reply->vps, &tmp);
pairfree(&tmp);

The value pairs have been added to the reply (my script outputs
Reply-Message = "Your account has expired."

if (r != 0) {
/*
 *  Error. radius_exec_program() returns -1 on
 *  fork/exec errors, or >0 if the exec'ed
program
 *  had a non-zero exit status.
 */

Not sure why this is indicated as an error. If the script decides to rejects
a user, it returns 1, but that's no error.

if (umsg[0] == '\0') {
user_msg = "\r\nAccess denied (external
check failed).";
} else {
user_msg = &umsg[0];
        }

I can understand this, there's no umsg, so provide a default Reply-Message.

request->reply->code = PW_AUTHENTICATION_REJECT;
tmp = pairmake("Reply-Message", user_msg, T_OP_SET);

    pairadd(&request->reply->vps, tmp);

Shouldn't this only be added when there's not already a Reply-Message
attribute in &request->reply->vps ?!?

rad_authlog("Login incorrect (external check
failed)",
request, 0);

return RLM_MODULE_REJECT;
}
}

Thanx,

Thor Spruyt
System Engineer
Mobile: +32 (0)475 67 22 65
Email: [EMAIL PROTECTED]
Loose those wires ! www.sinfilo.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message from Exec-Program-Wait with exit code 1

[Thor Spruyt]

Hi,

I went a bit further. Seems like tcpdump was only capturing the first 96
bytes of packets, so I used tcpdump -s 0 and came to the surprise that
freeradius is actually sending an Access-Reject packet with 2 Reply-Message
attributes.

The first Reply-Message attribute in the packets contains the output from
the external script.
The second Reply-Message attribute in the packets contains "login denied
(external check failed)"

So the NAS is just taking the last Reply-Message attribute of the packet to
display to the user.

Any way to tell freeradius only to send the output from the external script?

Thanx,

Thor.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message from Exec-Program-Wait with exit code 1

[Thor Spruyt]

> Remember that windows users can't see any message returned from radius
>
> Sergio Jose Ferreira
> WGO Intenet
> Catalao - Go - Brazil

Well... I thought the -x would also tell me what it's putting in the
Auth-Reject packet, as it tells me what it does in the Auth-Accept packet.
So I now took ethereal and saw indeed the correct Reply-Message is being
sent.

Successfull login:
Exec-Program: /root/auth.pl
Exec-Program-Wait: value-pairs: Reply-Message = "Your account is valid until
2003-08-31 00:00:00.",Acct-Interim-Interval = 300,Idle-Timeout =
7200,Session-Timeout = 741631
Exec-Program: returned: 0
Login OK: [thor] (from client colubris port 1 cli 00-01-F4-ED-6E-87)
Sending Access-Accept of id 16 to 192.168.100.2:1026
Reply-Message = "Your account is valid until 2003-08-31 00:00:00."
Acct-Interim-Interval = 300
Idle-Timeout = 7200
Session-Timeout = 741631

Failed login:
Exec-Program: /root/auth.pl
Exec-Program-Wait: value-pairs: Reply-Message = "This account has expired
since 2003-07-31 00:00:00."
Exec-Program: returned: 1
Login incorrect (external check failed): [thor] (from client colubris port 1
cli 00-01-F4-ED-6E-87)

Proposed addition:
Sending Access-Reject of ... to ...
Reply-Message = "Your account is valid until 2003-08-31 00:00:00."

Regards,

Thor.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RES: Reply-Message from Exec-Program-Wait with exit code 1

[sergio jose ferreira]

> Hi,
>
> I have setup radius with mysql authentication and exec-program-wait for
> authorization.
>
> Some examples of what the script does:
>
> If the user's account is ok, I output:
> Reply-Message = "Your account is valid until xx/xx/xx."
> Session-Timeout = 3600
>
> If the user's has no more amount on his account, I output:
> Reply-Message = "You have no amount left on your account."
> and stop the script with exit code 1
>
> If the user's account has expired, I output:
> Reply-Message = "Your account has expired."
> and stop the script with exit code 1
>
> Now, when the script exits with code 1, freeradius sends an Auth-Reject
> packet with the message "authentication failed (by external program)"
> instead of the Reply-Message attribute.
>
> I tried with exiting with code 0 and Auth-Type = Reject, but then the
login
> is accepted instead of rejected.
>
> I just want the script to be able to reject a user while sending a proper
> reply-message why he has been rejected.


See this script example in PHP :


Remember that windows users can't see any message returned from radius 

Sergio Jose Ferreira
WGO Intenet
Catalao - Go - Brazil


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message from Exec-Program-Wait with exit code 1

[Thor Spruyt]

Hmm... I just bought the Radius book from O'Reilly (ordered 1 month ago),
but of course Murphy had to show up...

I don't find anything in the book about Exec-Program(-Wait) !!!

Anybody any idea ?!?


> Hi,
>
> I have setup radius with mysql authentication and exec-program-wait for
> authorization.
>
> Some examples of what the script does:
>
> If the user's account is ok, I output:
> Reply-Message = "Your account is valid until xx/xx/xx."
> Session-Timeout = 3600
>
> If the user's has no more amount on his account, I output:
> Reply-Message = "You have no amount left on your account."
> and stop the script with exit code 1
>
> If the user's account has expired, I output:
> Reply-Message = "Your account has expired."
> and stop the script with exit code 1
>
> Now, when the script exits with code 1, freeradius sends an Auth-Reject
> packet with the message "authentication failed (by external program)"
> instead of the Reply-Message attribute.
>
> I tried with exiting with code 0 and Auth-Type = Reject, but then the
login
> is accepted instead of rejected.
>
> I just want the script to be able to reject a user while sending a proper
> reply-message why he has been rejected.
>
> Thanx.
>
> Thor Spruyt
> System Engineer
> Mobile: +32 (0)475 67 22 65
> Email: [EMAIL PROTECTED]
> Loose those wires ! www.sinfilo.com
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply-Message from Exec-Program-Wait with exit code 1

[Thor Spruyt]

Hi,

I have setup radius with mysql authentication and exec-program-wait for
authorization.

Some examples of what the script does:

If the user's account is ok, I output:
Reply-Message = "Your account is valid until xx/xx/xx."
Session-Timeout = 3600

If the user's has no more amount on his account, I output:
Reply-Message = "You have no amount left on your account."
and stop the script with exit code 1

If the user's account has expired, I output:
Reply-Message = "Your account has expired."
and stop the script with exit code 1

Now, when the script exits with code 1, freeradius sends an Auth-Reject
packet with the message "authentication failed (by external program)"
instead of the Reply-Message attribute.

I tried with exiting with code 0 and Auth-Type = Reject, but then the login
is accepted instead of rejected.

I just want the script to be able to reject a user while sending a proper
reply-message why he has been rejected.

Thanx.

Thor Spruyt
System Engineer
Mobile: +32 (0)475 67 22 65
Email: [EMAIL PROTECTED]
Loose those wires ! www.sinfilo.com


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Artur Hecker]

hi alan


your answers always appear before the oirignal questions, which is a
little bit suprising :-)

e.g. to my email originally written at 20:50 +02:00 you answered at
11:06 -04:00. evidently it's not possible, provided that we have the
same reference point. do you make reference to GMT or what?

then, to your email: i would like to test it with AP340/250. which is
the attribute to put into the user configuration in order to get
assigned an ip by the radius server? :-)


ciao
artur


Alan DeKok wrote:
> 
> Artur Hecker <[EMAIL PROTECTED]> wrote:
> > Alan: what do you think, if freeradius assigned an ip-address to the
> > user in a corresponding radius attribute and the client (AP) would use
> > it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER
> > message, could it work? I'm not an expert in BOOTP/DHCP, but do you
> > think something like this would be possible?
> 
>   It should be possible, but I don't know off-hand if any AP's work
> that way.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Alan DeKok]

Artur Hecker <[EMAIL PROTECTED]> wrote:
> Alan: what do you think, if freeradius assigned an ip-address to the
> user in a corresponding radius attribute and the client (AP) would use
> it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER
> message, could it work? I'm not an expert in BOOTP/DHCP, but do you
> think something like this would be possible?

  It should be possible, but I don't know off-hand if any AP's work
that way.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Artur Hecker]

hi sylvain


i have to admit that i don't really understand the first part of your
question. but, in the case you are using EAP/MD5 try to read the FAQ
under http://www.freeradius.org/doc/EAP-MD5.html and look for
Reply-Message. Could it be this kind of problem?

for the second part, it's interesting - i didn't try it but, as alan, i
asked myself if it is possible some time ago and i promptly came up with
a solution which i'm not sure about.

Alan: what do you think, if freeradius assigned an ip-address to the
user in a corresponding radius attribute and the client (AP) would use
it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER
message, could it work? I'm not an expert in BOOTP/DHCP, but do you
think something like this would be possible?


ciao
artur



Alan DeKok wrote:
> 
> =?iso-8859-1?q?Sylvain=20Masnada?= <[EMAIL PROTECTED]> wrote:
> > I'd like to know why the "reply-message" attribute is sent by
> > freeradius in a access-reject packet.  I use this attribute to
> > welcome people who connected themselves on my wireless network. But
> > with xsupplicant, this access-reject disconnects my user, who
> > reconnects immediately and is disconnected and reconnected and ...
> 
>   I don't think that the Reply-Message has anything to do with it.
> 
>   If the user is rejected, they can try again immediately.  After some
> number of retries, the AP will deny them access.  See the AP
> configuration for details.
> 
> > I'd like to know if my AP which is a cisco AP350 can cause me
> > troubles when I try to assign an ip to the users.
> 
>   So far as I know, it can't be done.  The users are authenticating to
> the AP (and then FreeRADIUS) through the EAP protocol, which doesn't
> support setting the IP address.
> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Artur Hecker
artur[at]hecker.info

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: reply-message

[Alan DeKok]

=?iso-8859-1?q?Sylvain=20Masnada?= <[EMAIL PROTECTED]> wrote:
> I'd like to know why the "reply-message" attribute is sent by
> freeradius in a access-reject packet.  I use this attribute to
> welcome people who connected themselves on my wireless network. But
> with xsupplicant, this access-reject disconnects my user, who
> reconnects immediately and is disconnected and reconnected and ...

  I don't think that the Reply-Message has anything to do with it.

  If the user is rejected, they can try again immediately.  After some
number of retries, the AP will deny them access.  See the AP
configuration for details.

> I'd like to know if my AP which is a cisco AP350 can cause me
> troubles when I try to assign an ip to the users.

  So far as I know, it can't be done.  The users are authenticating to
the AP (and then FreeRADIUS) through the EAP protocol, which doesn't
support setting the IP address.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

reply-message

[Sylvain Masnada]

hi everybody,
I'd like to know why the "reply-message" attribute is sent by freeradius in a 
access-reject
packet.
I use this attribute to welcome people who connected themselves on my wireless 
network. But with
xsupplicant, this access-reject disconnects my user, who reconnects immediately and is
disconnected and reconnected and ...

I'd like to know if my AP which is a cisco AP350 can cause me troubles when I try to 
assign an ip
to the users.
My user is configured like steve example in users. Freeradius sends framed-IP-Address, 
Netmask ...
correctly (freeradius debug tell me it) but my client has never an IP assigned as I 
would like.
What have I to do to assign an IP to my users?

Please help me.

Thx in advance
Sylvain

___
Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français !
Yahoo! Mail : http://fr.mail.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alexander M. Pravking]

On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote:
> > Dear developers, how about customizable messages? Something like
> > this in radiusd.conf:
> > 
> > messages {
> > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
> > timespan_violation = "You are calling outside allowed timespan\r\n"
> >...
> >}
> 
>   Sure.

Almost done.
I could get rid of radius_xlat calls, if the "user_msg == NULL" check is
removed around the following block (auth.c, lines 850-865):

/*
 *  Filter (possibly multiple) Reply-Message attributes
 *  through radius_xlat, modifying them in place.
 */
if (user_msg == NULL) {
reply_item = pairfind(request->reply->vps, PW_REPLY_MESSAGE);
while (reply_item) {
radius_xlat(buf, sizeof(reply_item->strvalue),
(char *)reply_item->strvalue, request, NULL);
strNcpy((char *)reply_item->strvalue, buf,
sizeof(reply_item->strvalue));
reply_item->length = strlen((char *)reply_item->strvalue);
user_msg = NULL;
reply_item = pairfind(reply_item->next, PW_REPLY_MESSAGE);
}
}

There's no more need for it, I think.

Also, the mentioned xlat.c patch should be applied too to allow
expansion of %{check:...} attributes.

Local tests are OK.


-- 
Fduch M. Pravking
Index: src/include/radiusd.h
===
RCS file: /source/radiusd/src/include/radiusd.h,v
retrieving revision 1.140
diff -u -p -r1.140 radiusd.h
--- src/include/radiusd.h   23 Jul 2003 19:50:38 -  1.140
+++ src/include/radiusd.h   29 Jul 2003 21:28:42 -
@@ -172,6 +172,15 @@ typedef struct main_config_t {
REALM   *realms;
 } MAIN_CONFIG_T;
 
+typedef struct messages_config_t {
+   const char  *expiration;
+   const char  *double_login;
+   const char  *multiple_login;
+   const char  *timespan_violation;
+   const char  *exec_failure;
+   const char  *auth_failure;
+} MESSAGE_CONFIG_T;
+
 #define DEBUG  if(debug_flag)log_debug
 #define DEBUG2  if (debug_flag > 1)log_debug
 
@@ -364,6 +373,7 @@ extern  int total_active_threads
 /* mainconfig.h */
 /* Define a global config structure */
 extern struct main_config_t mainconfig;
+extern struct messages_config_t server_messages;
 
 int read_mainconfig(int reload);
 int free_mainconfig(void);
Index: src/main/mainconfig.c
===
RCS file: /source/radiusd/src/main/mainconfig.c,v
retrieving revision 1.21
diff -u -p -r1.21 mainconfig.c
--- src/main/mainconfig.c   22 Jul 2003 18:16:23 -  1.21
+++ src/main/mainconfig.c   29 Jul 2003 21:30:39 -
@@ -45,6 +45,7 @@
 
 
 struct main_config_t mainconfig;
+struct messages_config_t server_messages;
 
 /*
  *  Local variables for stuff.
@@ -83,6 +84,25 @@ static CONF_PARSER security_config[] = {
 };
 
 /*
+ *  A list of global messages sent back in certain cases
+ */
+static CONF_PARSER messages_config[] = {
+   { "expiration", PW_TYPE_STRING_PTR, 0, &server_messages.expiration,
+ "Password Has Expired\r\n" },
+   { "double_login", PW_TYPE_STRING_PTR, 0, &server_messages.double_login,
+ "\r\nYou are already logged in  - access denied\r\n" },
+   { "multiple_login", PW_TYPE_STRING_PTR, 0, &server_messages.multiple_login,
+ "\r\nYou are already logged in %{check:Simultaneous-Use} times - access 
denied\r\n" },
+   { "timespan_violation", PW_TYPE_STRING_PTR, 0, 
&server_messages.timespan_violation,
+ "You are calling outside your allowed timespan\r\n" },
+   { "exec_failure", PW_TYPE_STRING_PTR, 0, &server_messages.exec_failure,
+ "\r\nAccess denied (external check failed).\r\n" },
+   { "auth_failure", PW_TYPE_STRING_PTR, 0, &server_messages.auth_failure,
+ "" },
+   { NULL, -1, 0, NULL, NULL }
+};
+
+/*
  *  A mapping of configuration file names to internal variables
  */
 static CONF_PARSER server_config[] = {
@@ -126,6 +146,7 @@ static CONF_PARSER server_config[] = {
{ "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" },
{ "proxy", PW_TYPE_SUBSECTION, 0, proxy_config, NULL },
{ "security", PW_TYPE_SUBSECTION, 0, security_config, NULL },
+   { "messages", PW_TYPE_SUBSECTION, 0, messages_config, NULL },
{ "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_l

Re: Reply message from the counter module

[Alexander M. Pravking]

On Tue, Jul 29, 2003 at 10:52:59AM -0400, Alan DeKok wrote:
> "Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:
> > > > By the way, %{Simultaneuos-Use} will not work, since there's no way to
> > > > expand check items from the request...
> > > 
> > >   Nonsense.  See 'doc/variables.txt'
> > 
> > Huh?
> 
>   Hmm... if it's not there, then it's trivial enough to add.  ~10
> lines in src/main/xlat.c should do it.

Here's a patch. I used "check:" as a prefix, maybe someone suggests more
reasonable one?


Index: doc/variables.txt
===
RCS file: /source/radiusd/doc/variables.txt,v
retrieving revision 1.7
diff -u -p -r1.7 variables.txt
--- doc/variables.txt   11 Apr 2003 17:54:58 -  1.7
+++ doc/variables.txt   29 Jul 2003 16:16:06 -
@@ -4,6 +4,8 @@ The variables defined by the server are:
  in request
  %{request:Attribute-Name}   Corresponding value for Attribute-Name
  in request
+ %{check:Attribute-Name} Corresponding value for Attribute-Name
+ in check items
  %{reply:Attribute-Name} Corresponding value for Attribute-Name
  in reply
  %{proxy-reply:Attribute-Name}   Corresponding value for Attribute-Name
@@ -12,9 +14,9 @@ The variables defined by the server are:
  %{config:section.subsection.item} Corresponding value in 'radiusd.conf'
for the string value of that item.
 
-  The %{config:...} variables should be used VERY carefully, as they
-may leak secret information from your RADIUS server, if you use them
-in reply attributes to the NAS!
+  The %{config:...} and %{check:... } variables should be used VERY
+carefully, as they may leak secret information from your RADIUS server,
+if you use them in reply attributes to the NAS!
 
   e.g.
 
Index: src/main/xlat.c
===
RCS file: /source/radiusd/src/main/xlat.c,v
retrieving revision 1.55
diff -u -p -r1.55 xlat.c
--- src/main/xlat.c 18 Mar 2003 05:50:54 -  1.55
+++ src/main/xlat.c 29 Jul 2003 16:17:53 -
@@ -232,6 +232,16 @@ static void decode_attribute(const char 
}
 
/*
+*  Find an attibute from the config items
+*/
+   } else if (strncasecmp(attrname,"check:",6) == 0) {
+   if((tmpda = dict_attrbyname(&attrname[6])) && 
+   (tmppair = pairfind(request->config_items, 
tmpda->attr))) {
+   q += valuepair2str(q,freespace,tmppair,tmpda->type, func);
+   found = 1;
+   }
+
+   /*
 *  Find an attribute from the request.
 */
} else if (strncasecmp(attrname,"request:",8) == 0) {

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alan DeKok]

"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:
> > > By the way, %{Simultaneuos-Use} will not work, since there's no way to
> > > expand check items from the request...
> > 
> >   Nonsense.  See 'doc/variables.txt'
> 
> Huh?

  Hmm... if it's not there, then it's trivial enough to add.  ~10
lines in src/main/xlat.c should do it.

> Wrong question - wrong answer... I mean, which one should be used in
> radiusd code when adding the Reply-Message? Hmm, what's the matter with
> me? The code already uses some operators, so I'll simply leave them.
> Right?

  pairadd()

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alexander M. Pravking]

On Mon, Jul 28, 2003 at 08:11:26PM -0400, Alan DeKok wrote:
> "Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:
> > By the way, %{Simultaneuos-Use} will not work, since there's no way to
> > expand check items from the request...
> 
>   Nonsense.  See 'doc/variables.txt'

Huh?
 %{Attribute-Name}   Corresponding value for %Attribute-Name
 in request
 %{request:Attribute-Name}   Corresponding value for %Attribute-Name
 in request
 %{reply:Attribute-Name} Corresponding value for %Attribute-Name
 in reply
 %{proxy-reply:Attribute-Name}   Corresponding value for %Attribute-Name
 in the proxy reply (if it exists)

 %{config:section.subsection.item} Corresponding value in 'radiusd.conf'
   for the string value of that item.

The xlat sources says the same. Did I miss something?


> > One more question. Which operator should I use to add Reply-Message?
> > ":=" or "=" or "+="?
> 
>   It depends if you want one, or more than one.  See the 'man' page
> for the 'users' file.

Wrong question - wrong answer... I mean, which one should be used in
radiusd code when adding the Reply-Message? Hmm, what's the matter with
me? The code already uses some operators, so I'll simply leave them.
Right?


-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alan DeKok]

"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:
> By the way, %{Simultaneuos-Use} will not work, since there's no way to
> expand check items from the request...

  Nonsense.  See 'doc/variables.txt'

> How about, say, new integer attribute like FreeRADIUS-Reply-Code,
> which will be automatically replaced with a corresponding Reply-Message
> just before reply? However, in this case we still need some mapping
> from FreeRADIUS-Reply-Code to Reply-Message, other than dictionary.

  No.

  You should be able to use messages from the configuration inside of
a Reply-MEssage attribute, but any kind of "mapping" is more trouble
than its worth.

> And FreeRADIUS sends attributes no matter of their length. 
> A small patch solves this (works for me, please, test it):

  That's a bug.  I'll add the fix.

> One more question. Which operator should I use to add Reply-Message?
> ":=" or "=" or "+="?

  It depends if you want one, or more than one.  See the 'man' page
for the 'users' file.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alexander M. Pravking]

On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote:
> > Dear developers, how about customizable messages? Something like
> > this in radiusd.conf:
> > 
> > messages {
> > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
> > timespan_violation = "You are calling outside allowed timespan\r\n"
> >...
> >}
> 
>   Sure.

By the way, %{Simultaneuos-Use} will not work, since there's no way to
expand check items from the request...


> > I probably could work on that, but I need some guidelines:
> > 1. Should it be a set of static variables, or searchable list like
> >dictionary?
> 
>   I'm not sure what you mean by that.

How about, say, new integer attribute like FreeRADIUS-Reply-Code,
which will be automatically replaced with a corresponding Reply-Message
just before reply? However, in this case we still need some mapping
from FreeRADIUS-Reply-Code to Reply-Message, other than dictionary.

I dislike this idea more and more...


> > 2. Should it be per-module configuration, or global?
> 
>   Many messages are global.  They should be in a global config.

Well, I'll try global messages first.

I always felt myself uncomfortable with silent auth-failures, so it's
reasonable to have auth_failure message, IMHO. However, some people
might want to leave it silent, so maybe it should be empty by default.
But there's an issue with sending empty strings in FreeRADIUS currently.
RFC 2865 says:

  string1-253 octets containing binary data (values 0 through
255 decimal, inclusive).  Strings of length zero (0)
MUST NOT be sent; omit the entire attribute instead.

And FreeRADIUS sends attributes no matter of their length. 
A small patch solves this (works for me, please, test it):

Index: src/lib/radius.c
===
RCS file: /source/radiusd/src/lib/radius.c,v
retrieving revision 1.101
diff -u -p -r1.101 radius.c
--- src/lib/radius.c23 Jul 2003 19:44:35 -  1.101
+++ src/lib/radius.c28 Jul 2003 22:37:34 -
@@ -226,6 +226,14 @@ int rad_send(RADIUS_PACKET *packet, cons
  }
 
  /*
+  *Don't send empty attributes, omit 'em
+  */
+ if (((reply->type == PW_TYPE_ABINARY) ||
+  (reply->type == PW_TYPE_STRING) ||
+  (reply->type == PW_TYPE_OCTETS)) &&
+ reply->length == 0)
+ continue;
+ /*
   *Print out ONLY the attributes which
   *    we're sending over the wire, and print
   *them out BEFORE they're encrypted.


One more question. Which operator should I use to add Reply-Message?
":=" or "=" or "+="?


-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alan DeKok]

"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote:
> Yeah, it's not the only place where configurable messages could be
> useful. I've already suggested such a thing, but the silence was an
> answer...
...

> Dear developers, how about customizable messages? Something like
> this in radiusd.conf:
> 
> messages {
> multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
> timespan_violation = "You are calling outside allowed timespan\r\n"
>...
>}

  Sure.

> I probably could work on that, but I need some guidelines:
> 1. Should it be a set of static variables, or searchable list like
>dictionary?

  I'm not sure what you mean by that.

> 2. Should it be per-module configuration, or global?

  Many messages are global.  They should be in a global config.

> 3. Where to put these parameters in config?

  In a new 'messages' block.

> 4. Recommended naming conventions?

  Something short, but long enough to be reasonably obvious.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply message from the counter module

[Alexander M. Pravking]

On Sat, Jul 26, 2003 at 07:09:38PM -0700, Alex Chen wrote:
> I finally get the counter module to work but there is a small question
> about the reply message issued by the counter when the accumulated time
> exceeds
> the value of the 'check-name' attribute.  I set the 'reset' to 'never' and
> when the limit, say, 60 seconds, is reached, the reply message says:
> 
>  Reply-Message = "Your maximum never usage time has been reached"
> 
> It is not a problem  but does not sound normal.
> 
> May I suggest, in the next release, that you make the reply message a
> user configurable item in the counter module, e.g.
> 
>   counter {
>   filename = ${raddbdir}/counterdb
>   key = User-Name
>   count-attribute = Acct-Session-Time
>   reset = never
> reply-message = "Your maximum access time has been reached"
> 
>   }

Yeah, it's not the only place where configurable messages could be
useful. I've already suggested such a thing, but the silence was an
answer...

If anyone of developers got interested, see
http://lists.cistron.nl/archives/freeradius-users/2003/06/frm00625.html


-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply message from the counter module

[Alex Chen]

I finally get the counter module to work but there is a small question
about the reply message issued by the counter when the accumulated time
exceeds
the value of the 'check-name' attribute.  I set the 'reset' to 'never' and
when the limit, say, 60 seconds, is reached, the reply message says:

 Reply-Message = "Your maximum never usage time has been reached"

It is not a problem  but does not sound normal.

May I suggest, in the next release, that you make the reply message a
user configurable item in the counter module, e.g.

counter {
filename = ${raddbdir}/counterdb
key = User-Name
count-attribute = Acct-Session-Time
        reset = never
reply-message = "Your maximum access time has been reached"

}



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message

[Peter Nixon]

Hi Chris

I am sorry I don't have more information, maybe someone else does though. I 
don't currently use Radius for PPP Authentication and it has been 3 years 
since I used Windows on my desktop :-)

Maybe you can find something from google.

Cheers

Peter

On Tue, 22 Jul 2003 09:48 am, Chris Miller wrote:
> Peter, thanks for the reply. I did some testing with PowerDUN and did not
> receive any specific error message. This doesn't surprise me with out
> Livingston pm3s, but our wholesale partner has more modern equipment I
> would expect to support this feature (i.e Cisco, TNT, Lucent).
>
> I've also been able to find little information on how this works or what
> vendors support this. From what I gather the NAS passes the reply on to
> the client via PPP. I would think this would be the default but perhaps
> it's something that specifically needs to be enabled. Do you have any
> further information you can point me to?
>
> Regards,
> Chris
>
> Chris Miller
> NetGate Internet
>
> On Sun, 20 Jul 2003, Peter Nixon wrote:
> > On Sun July 20 2003 01:26, Chris Miller wrote:
> > > I've noticed that the Reply-Message returned from the radius server is
> > > not shown in the Windows DUN error message when access is rejected.
> > > Where does the failure occur? Is this a matter of the NAS not returning
> > > this message to the DUN client, or is this just typical of Windows? Any
> > > way to override this behavior? It would be nice that a user knows their
> > > account has been disabled instead of the generic "username or password
> > > incorrect".
> >
> > This is windows behaviour. Unless you use PowerDUN or one of the
> > replacement dialers you will not see any returned messages.
> >
> > --
> >
> > Peter Nixon
> > http://www.peternixon.net/
> > PGP Key: http://www.peternixon.net/public.asc
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message

[Chris Miller]

Peter, thanks for the reply. I did some testing with PowerDUN and did not
receive any specific error message. This doesn't surprise me with out
Livingston pm3s, but our wholesale partner has more modern equipment I
would expect to support this feature (i.e Cisco, TNT, Lucent).

I've also been able to find little information on how this works or what
vendors support this. From what I gather the NAS passes the reply on to
the client via PPP. I would think this would be the default but perhaps
it's something that specifically needs to be enabled. Do you have any
further information you can point me to?

Regards,
Chris

Chris Miller
NetGate Internet

On Sun, 20 Jul 2003, Peter Nixon wrote:

> On Sun July 20 2003 01:26, Chris Miller wrote:
> > I've noticed that the Reply-Message returned from the radius server is not
> > shown in the Windows DUN error message when access is rejected. Where does
> > the failure occur? Is this a matter of the NAS not returning this
> > message to the DUN client, or is this just typical of Windows? Any way to
> > override this behavior? It would be nice that a user knows their account
> > has been disabled instead of the generic "username or password incorrect".
>
> This is windows behaviour. Unless you use PowerDUN or one of the replacement
> dialers you will not see any returned messages.
>
> --
>
> Peter Nixon
> http://www.peternixon.net/
> PGP Key: http://www.peternixon.net/public.asc
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message

[Peter Nixon]

On Sun July 20 2003 01:26, Chris Miller wrote:
> I've noticed that the Reply-Message returned from the radius server is not
> shown in the Windows DUN error message when access is rejected. Where does
> the failure occur? Is this a matter of the NAS not returning this
> message to the DUN client, or is this just typical of Windows? Any way to
> override this behavior? It would be nice that a user knows their account
> has been disabled instead of the generic "username or password incorrect".

This is windows behaviour. Unless you use PowerDUN or one of the replacement 
dialers you will not see any returned messages.

-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply-Message

[Chris Miller]

I've noticed that the Reply-Message returned from the radius server is not
shown in the Windows DUN error message when access is rejected. Where does
the failure occur? Is this a matter of the NAS not returning this
message to the DUN client, or is this just typical of Windows? Any way to
override this behavior? It would be nice that a user knows their account
has been disabled instead of the generic "username or password incorrect".

Regards,
Chris

Chris Miller
NetGate Internet


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: simultaneous-use reply-message

[gunce ciftci]

Alexander,
Users' native language is Turkish which uses Latin alphabet
so,luckily, ascii characters will do good.

And yes it would be nice to have customizable messages :)

Thanks,
Gunce


On Fri, 20 Jun 2003, Alexander M. Pravking wrote:

> On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote:
> > Dear list,
> > I am using (v0.8.1)
> > simultaneous-use attribute with Bay RAC 8000 without problems.
> > Users also get and see the "You are already logged in - access denied"
> > message through NAS-Prompt when they are trying to connect beyond the
> > limit. To make life easier for hot-line staff, we should have it in
> > native language.
>
> Are you sure your NAS won't go crazy because of non-ascii characters?
> Don't you expect charset problems?
>
> > I don't know if somebody ever needed it.I looked for
> > the this reply message in radiusd.conf,radcheck,could not see..
>
> It's hard-coded currently, so you can edit the sources and then recompile
> radius.
>
>
> Dear developers, how about customizable messages? Something like this in
> radiusd.conf:
> messages {
> multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
> timespan_violation = "You are calling outside allowed timespan\r\n"
> ...
> }
>
> I probably could work on that, but I need some guidelines:
> 1. Should it be a set of static variables, or searchable list like
>dictionary?
> 2. Should it be per-module configuration, or global?
> 3. Where to put these parameters in config?
> 4. Recommended naming conventions?
>
>
> --
> Fduch M. Pravking
>


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: simultaneous-use reply-message

[Alexander M. Pravking]

On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote:
> Dear list,
> I am using (v0.8.1)
> simultaneous-use attribute with Bay RAC 8000 without problems.
> Users also get and see the "You are already logged in - access denied"
> message through NAS-Prompt when they are trying to connect beyond the
> limit. To make life easier for hot-line staff, we should have it in
> native language.

Are you sure your NAS won't go crazy because of non-ascii characters?
Don't you expect charset problems?

> I don't know if somebody ever needed it.I looked for
> the this reply message in radiusd.conf,radcheck,could not see..

It's hard-coded currently, so you can edit the sources and then recompile
radius.


Dear developers, how about customizable messages? Something like this in
radiusd.conf:
messages {
multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n"
timespan_violation = "You are calling outside allowed timespan\r\n"
...
}

I probably could work on that, but I need some guidelines:
1. Should it be a set of static variables, or searchable list like
   dictionary?
2. Should it be per-module configuration, or global?
3. Where to put these parameters in config?
4. Recommended naming conventions?


-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

simultaneous-use reply-message

[gunce ciftci]

Dear list,
I am using (v0.8.1)
simultaneous-use attribute with Bay RAC 8000 without problems.
Users also get and see the "You are already logged in - access denied"
message through NAS-Prompt when they are trying to connect beyond the
limit. To make life easier for hot-line staff, we should have it in
native language.I don't know if somebody ever needed it.I looked for
the this reply message in radiusd.conf,radcheck,could not see..

Reply-Message := "\r\nYou are already logged in - access denied\r\n\n"
Where is this reply message defined, so that admins can change/add it?

Regards,
Gunce

Gunce Ciftci
Middle East Technical University
Computer Center
[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to change the 'Status Server' Reply Message

[Alan DeKok]

"Stefan Auweiler" <[EMAIL PROTECTED]> wrote:
> I'd like to extend the 'Status Server' Reply Message with the admins =
> contact
> information
> Does anybody has an advice or a readme?

  Source code modifications.  See 'src/main/radiusd.c'

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to change the 'Status Server' Reply Message

[Stefan Auweiler]

All,

I'd like to extend the 'Status Server' Reply Message with the admins contact
information
Does anybody has an advice or a readme?




My environment:
SuSe 8.1, FreeRADIUS 0.8.1
Test with NTRadPing

Thanks
Stefan



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: multiple attributes in reply message

[Alan DeKok]

"Sunny Wang" <[EMAIL PROTECTED]> wrote:
> I'm using FreeRADIUS Version 0.8.1, I would like to be able to get multiple
> attributes of the same type in accept reply message.  Can someone let me
> know how do I do that?

  Read the 'man' page for the 'users' file.

> Filter-Id = "in: abc",
> Filter-Id = "out: xyz"

  You want:

...
Filter-Id += "in: abc",
Filter-Id += "out: xyz"
...

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

multiple attributes in reply message

[Sunny Wang]

Hi,

I'm using FreeRADIUS Version 0.8.1, I would like to be able to get multiple
attributes of the same type in accept reply message.  Can someone let me
know how do I do that?

Here is my record:

[EMAIL PROTECTED]   User-Password == "blah"
Service-Type = Framed-User,
Framed-IP-Address = 10.1.1.12,
Filter-Id = "in: abc",
Filter-Id = "out: xyz"

FreeRADIUS server currently is only sending me Filter-Id = "in: abc" but not
Filter-Id = "out: xyz".

Thanks for the help.

--Sunny


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message

[Alan DeKok]

Remus Anca <[EMAIL PROTECTED]> wrote:
>   did succeed someone in 'put' messages, send by freeradius with
>   Reply-Message attribute, on windows screen?
> 
>   i know it's a windows problem, but how can i trick it?

  Read the FAQ?  It's not rocket science.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Reply-Message

[Karl Pielorz]

--On 21 November 2002 16:50 +0200 Remus Anca <[EMAIL PROTECTED]> wrote:




  did succeed someone in 'put' messages, send by freeradius with
  Reply-Message attribute, on windows screen?

  i know it's a windows problem, but how can i trick it?

  thx.

  i think this is very useful for all ISP admin's

--
Remus


I don't think any of the actual Windows PPP stacks support this, i.e. it's 
not going to work :(

I can't see any way you can work around it either, if it's not support by 
the client - it's not supported :-(

[And how many ISP's wish it was supported? :)]

-Kp


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply-Message

[Remus Anca]

  did succeed someone in 'put' messages, send by freeradius with
  Reply-Message attribute, on windows screen?

  i know it's a windows problem, but how can i trick it?

  thx.

  i think this is very useful for all ISP admin's

-- 
Remus



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

[Alan DeKok]

Fduch the Pravking <[EMAIL PROTECTED]> wrote:
> So, if the reject_delay = 0, radius sends the Reply-Message
> in Access-Reject back to the NAS,
> and if reject_delay = 1, does not.

  That's a bug.  I would think that rad_respond(), in
src/main/radiusd.c is to blame.  It shouldn't clean up
request->reply->vps if request->reply->data is NULL.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

[Fduch the Pravking]

On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote:
> At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote:
> >By the way, how can I say "Any number of such attribute"
> >for rlm_attr_filter?
> 
> It should already do that.  It doesn't track state, so if you permit
> 'Ascend-Data-Filter ~= ".*"' then it will allow through all attributes
> that match that rule.

It doesn't do that.
raddb/attrs:
DEFAULT
Service-Type == Framed-User,
Service-Type == Login-User,
Login-Service == Telnet,
Login-Service == Rlogin,
Login-Service == TCP-Clear,
Login-TCP-Port <= 65536,
Framed-IP-Address =~ ".*",
Framed-IP-Netmask == 255.255.255.255,
Framed-Protocol == PPP,
Framed-Protocol == SLIP,
Framed-Compression == Van-Jacobson-TCP-IP,
    Framed-MTU >= 576,
Framed-Filter-ID =~ ".*",
Reply-Message =~ ".*",
Session-Timeout <= 28800,
Idle-Timeout <= 600,
Port-Limit <= 2,
Cisco-AVPair =~ ".*",
Fall-Through = Yes

And here are logs:

rad_recv: Access-Request packet from host :2893, id=244, length=64
Thread 1 assigned request 35
--- Walking the entire request list ---
Waking up in 4 seconds...
Thread 1 handling request 35, (5 handled so far)
User-Name = "stricted-user@realm"
User-Password = ""
NAS-IP-Address = ""
NAS-Port-Id = "3"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  modcall[authorize]: module "attr_filter" returns noop
  modcall[authorize]: module "files" returns notfound
  rlm_realm: Proxying request from user register to realm realm
  modcall[authorize]: module "suffix" returns updated
modcall: group authorize returns updated
Sending Access-Request of id 13 to 
User-Name = "stricted-user@realm"
User-Password = ""
NAS-IP-Address = ""
NAS-Port-Id = "3"
Proxy-State = "244"
Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host , id=13, length=1241
Thread 2 assigned request 35
Waking up in 4 seconds...
Thread 2 handling request 35, (5 handled so far)
User-Name = "stricted-user@realm"
User-Password = ""
NAS-IP-Address = ""
Proxy-State = 0x323434
NAS-Identifier = ""
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-AVPair = "ip:inacl#1=permit udp..."
Cisco-AVPair = "ip:inacl#2=permit udp..."
Cisco-AVPair = "ip:inacl#3=permit udp..."
Cisco-AVPair = "ip:inacl#4=permit udp..."
Cisco-AVPair = "ip:inacl#5=permit udp..."
Cisco-AVPair = "ip:inacl#6=permit udp..."
Cisco-AVPair = "ip:inacl#7=permit udp..."
Cisco-AVPair = "ip:inacl#8=permit tcp..."
Cisco-AVPair = "ip:inacl#9=permit tcp..."
Cisco-AVPair = "ip:inacl#10=deny ip any any"
Cisco-AVPair = "ip:outacl#1=permit udp..."
Cisco-AVPair = "ip:outacl#2=permit udp..."
Cisco-AVPair = "ip:outacl#3=permit udp..."
Cisco-AVPair = "ip:outacl#4=permit udp..."
Cisco-AVPair = "ip:outacl#5=permit udp..."
Cisco-AVPair = "ip:outacl#6=permit udp..."
Cisco-AVPair = "ip:outacl#7=permit udp..."
Cisco-AVPair = "ip:outacl#8=permit tcp..."
Cisco-AVPair = "ip:outacl#9=permit tcp..."
Cisco-AVPair = "ip:outacl#10=deny ip any any"
modcall: entering group authorize
  modcall[authorize]: module "preprocess" returns ok
  attr_filter: Matched entry DEFAULT at line 84
  modcall[authorize]: module "attr_filter" returns updated
  modcall[authorize]: module "files" returns notfound
  modcall[authorize]: module "suffix" returns ok
modcall: group authorize returns updated
  rad_check_password:  Found Auth-Type
  rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [stricted-user@realm] (from nas  port 0)
Sending Access-Accept of id 244 to :2893
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-AVPair = "ip:inacl#1=permit udp..."
Finished request 35
Going to the next request


So, only the first Cisco-AVPair attribute is sent back to the NAS.
The only way I see is to add as many 'Cisco-AVPair =~ ".*"' lines
to raddb/attrs as it seems to be possible :(

Any comments or suggestions?

-- 
Fduch M. Pravking

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

[Fduch the Pravking]

On Thu, Mar 28, 2002 at 11:56:32PM -0500, Alan DeKok wrote:
> Fduch the Pravking <[EMAIL PROTECTED]> wrote:
> > We have freeradius-0.5 doing only proxy.
> > And the problem is:
> > when radius receives Access-Reject packet from remote server,
> > it proxies it back to the NAS without any attributes,
> > Reply-Message in particular.
> 
>   Read the RFC's.  That's how RADIUS is *supposed* to work.

I've found nothing in RFC 2865 about any restrictions
for Access-Reject but this:

   If any condition is not met, the RADIUS server sends an "Access-
   Reject" response indicating that this user request is invalid.  If
   desired, the server MAY include a text message in the Access-Reject
   which MAY be displayed by the client to the user.  No other
   Attributes (except Proxy-State) are permitted in an Access-Reject.

So, Reply-Message MAY be present in Access-Reject,
and it is PRESENT in the packet from remote server,
but is not being sent back to NAS by this proxy radius.

Correct me if I wrong, please.

Here is a bug, I think, and it comes from delaying
the Access-Reject:

On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote:
> At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote:
> >And what does "Delaying request 91752 for 1 seconds" mean?
>
> It's a throttling feature.  Some radius clients can cause what amounts
> to a DOS by repeatedly requesting authentication for failed users.  IE,
> user gets rejected, nas sends another request, user gets rejected, nas
> sends another request.  This was for a PPPoE/DSL authetication, so it
> was instantaneous.  A configurable delay before sending the Reject
> back to the NAS allows the server to effectively throttle the rate at
> which that type of NAS can hammer it with requests.  If you set it to
> zero, it disables the delay all-together.
>
> This is in the 'security' section of the 'radiusd.conf' file.

Sorry, Chris, I'm slightly blind :)

When I set reject_delay = 0 in the security section of radiusd.conf,
the same Access-Request packet shows the following:

% radtest sltest bad_passwd localhost:1645 3 testing123
Sending Access-Request of id 68 to 127.0.0.1:1645
User-Name = "sltest"
User-Password = "U\356~\271\354X\213http://www.freeradius.org/list/users.html

Re: Access-Reject proxied without Reply-Message

[Alan DeKok]

Fduch the Pravking <[EMAIL PROTECTED]> wrote:
> We have freeradius-0.5 doing only proxy.
> And the problem is:
> when radius receives Access-Reject packet from remote server,
> it proxies it back to the NAS without any attributes,
> Reply-Message in particular.

  Read the RFC's.  That's how RADIUS is *supposed* to work.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to change Reply-Message attribute if authentication is failed

[aland]

"Sergey Kodentsev" <[EMAIL PROTECTED]> wrote:
> Is it possible to add this feature in the next version of FreeRadius?

  Sure.  Supply a patch, and it will be integrated.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to change Reply-Message attribute if authentication is failed

[Sergey Kodentsev]

Hello, Alan!

 a> "Sergey Kodentsev" <[EMAIL PROTECTED]> wrote:
 >> How can I change or remove "Reply-Message" attribute if
 >> authentication is failed.

 a>   You can't, sorry.

Is it possible to add this feature in the next version of FreeRadius?

Sergey Kodentsev.






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to change Reply-Message attribute if authentication is failed

[aland]

"Sergey Kodentsev" <[EMAIL PROTECTED]> wrote:
> How can I change or remove "Reply-Message" attribute if authentication is
> failed.

  You can't, sorry.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to change Reply-Message attribute if authentication is failed

[Sergey Kodentsev]

Hello!

The part of my user file is given below.


DEFAULT Auth-Type := System
Reply-Message := "Test message",
Fall-Through = Yes

.

How can I change or remove "Reply-Message" attribute if authentication is
failed.

Sergey Kodentsev






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

ignored Reply-Message from Exec-Program-Wait

[Bobi]

Hi List,
Can anybody tell my why Reply-Message returned by Exec-Program was ignored?
Here is debug:

Exec-Program-Wait: value-pairs: Reply-Message := "Current hours restriction"
Exec-Program: returned: 10
Sending Access-Reject of id 243 to 212.36.0.225:1645
    Reply-Message = "\r\nAccess denied (external check failed)."
Finished request 256

--
B


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html