RE: Access-Reject has no Reply-Message (2nd try)
> From: $BLnB<(B $B7z(B (B> Sent: Monday, 20 October 2003 6:35 PM (B (B> I want my freeradius server to send Access-Reject packet with Reply-Message (B> in it, (B> so that NAS can alert user when authentication fails. But, it's not (B> working so far. (B> When authentication succeeds, my freeradius server sends Access-Accept (B> packet (B> with Reply-Message in it. But when authentication fails, it sends Access (B> Reject packet (B> with no Reply-Message in it.. (B (B> So my question is why my freeradius doesn't include Reply-Message into (B> Access-Reject (B> packet, and how can I fix this problem? (B (B> ---users (B> [EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (B> Service-Type = Framed-User, (B> Framed-Protocol = PPP, (B> Framed-IP-address = 192.168.200.1, (B> Framed-IP-Netmask = 255.255.255.0, (B> Session-Timeout = 30, (B> Reply-Message="111", (B> Reply-Message="222", (B> Reply-Message="333", (B> (B (BAs you've observed, this will only add a Reply-Message if the authentication (Bsucceeds. In the same way as it will only give an IP address or Session (BTimeout if it succeeds. (B (BAs for how to send a Reply-Message on failure, I dunno off hand. :-) (B (B-- (BPaul "TBBle" Hampson (BBubblesworth Pty Ltd (ABN: 51 095 284 361) (B[EMAIL PROTECTED] (B (BOn a sidewalk near Portland State (BUniversity someone wrote `Trust Jesus', and (Bsomeone else wrote `But Cut the Cards'. (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject has no Reply-Message (2nd try)
(BSorry, this may annoy some of you. (BSome people pointed out that I didnt put enough information in my last (Bmail, so I am (Bsending this mail again with informations required in FAQ. (B (BI want my freeradius server to send Access-Reject packet with Reply-Message (Bin it, (Bso that NAS can alert user when authentication fails. But, it's not (Bworking so far. (BWhen authentication succeeds, my freeradius server sends Access-Accept (Bpacket (Bwith Reply-Message in it. But when authentication fails, it sends Access (BReject packet (Bwith no Reply-Message in it.. (B (BSo my question is why my freeradius doesn't include Reply-Message into (BAccess-Reject (B packet, and how can I fix this problem? (B (BAttached logs are: (B1)relevant portion of users (B2)debugging output of 'radiusd -X' (B (I have send 2 access-request messages after radiusd boots up, one with (Bcorrect password (B and one with wrong password.) (B3)debuggin output of 'radtest' (B4)version of Linux and radiusd (B (B (B---users (B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (BService-Type = Framed-User, (BFramed-Protocol = PPP, (BFramed-IP-address = 192.168.200.1, (BFramed-IP-Netmask = 255.255.255.0, (BSession-Timeout = 30, (BReply-Message="1111111", (BReply-Message="2222222", (BReply-Message="333", (B (B (B (B (B (Bradius -X- (B[EMAIL PROTECTED] raddb]# (B[EMAIL PROTECTED] raddb]# radiusd -X (BStarting - reading configuration files ... (Breread_config: reading radiusd.conf (BConfig: including file: /etc/raddb/proxy.conf (BConfig: including file: /etc/raddb/clients.conf (BConfig: including file: /etc/raddb/snmp.conf (BConfig: including file: /etc/raddb/sql.conf (B main: prefix = "/usr" (B main: localstatedir = "/var" (B main: logdir = "/var/log/radius" (B main: libdir = "/usr/lib" (B main: radacctdir = "/var/log/radius/radacct" (B main: hostname_lookups = no (Bread_config_files: reading dictionary (Bread_config_files: reading clients (Bread_config_files: reading realms (Bread_config_files: reading naslist (B main: max_request_time = 30 (B main: cleanup_delay = 5 (B main: max_requests = 1024 (B main: delete_blocked_requests = 0 (B main: port = 1645 (B main: allow_core_dumps = no (B main: log_stripped_names = no (B main: log_auth = no (B main: log_auth_badpass = no (B main: log_auth_goodpass = no (B main: pidfile = "/var/run/radiusd.pid" (B main: user = "root" (B main: group = "root" (B main: usercollide = no (B main: lower_user = "no" (B main: lower_pass = "no" (B main: nospace_user = "no" (B main: nospace_pass = "no" (B main: proxy_requests = yes (B proxy: retry_delay = 5 (B proxy: retry_count = 3 (B proxy: synchronous = no (B proxy: default_fallback = yes (B proxy: dead_time = 120 (B security: max_attributes = 200 (B security: reject_delay = 0 (B main: debug_level = 0 (Bread_config_files: entering modules setup (BModule: Library search path is /usr/lib (BModule: Loaded System (B unix: cache = no (B unix: passwd = "/etc/passwd" (B unix: shadow = "(null)" (B unix: group = "/etc/group" (B unix: radwtmp = "/var/log/radius/radwtmp" (B unix: usegroup = no (B unix: cache_reload = 600 (BModule: Instantiated unix (unix) (BModule: Loaded preprocess (B preprocess: huntgroups = "/etc/raddb/huntgroups" (B preprocess: hints = "/etc/raddb/hints" (B preprocess: with_ascend_hack = no (B preprocess: ascend_channels_per_line = 23 (B preprocess: with_ntdomain_hack = no (B preprocess: with_specialix_jetstream_hack = no (B preprocess: with_cisco_vsa_hack = no (BModule: Instantiated preprocess (preprocess) (BModule: Loaded realm (B realm: format = "suffix" (B realm: delimiter = "@" (BModule: Instantiated realm (suffix) (BModule: Loaded files (B files: usersfile = "/etc/raddb/users" (B files: acctusersfile = "/etc/raddb/acct_users" (B files: compat = "no" (BModule: Instantiated files (files) (BModule: Loaded detail (B detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail" (B detail: detailperm = 384 (B detail: dirperm = 493 (BModule: Instantiated detail (detail) (BModule: Loaded radutmp (B radutmp: filename = "/var/log/radius/radutmp" (B radutmp: username = "%{User-Name}" (B radutmp: perm = 384 (B radutmp: callerid = yes (BModule: Instantiated radutmp (radutmp) (BListening on IP address *, ports 1645/udp and 1646/udp, w
Re: Access-Reject has no Reply-Message
=?iso-2022-jp?B?GyRCTG5CPBsoQiAbJEI3ehsoQg==?= <[EMAIL PROTECTED]> wrote: > According to RFC, Access-Reject packet MAY contain Reply-Message. > I have searched this ML, and found out that freeradius normally contain > Reply-Message in Access-Reject packet if Reply-Message is configured. Have you configured a Reply-Message? > So my question is: > Why my freeradius doesn't put Reply-Message into Access-Reject packet, and > how can I fix this problem? > > I have attached some logs below. You attached 'radiusd.conf', not the output of 'radiusd -X', as requested in the FAQ and README's. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject has no Reply-Message
- Original Message - (BFrom: "$BLnB<(B $B7z(B" <[EMAIL PROTECTED]> (B> I want my freeradius to send Access-Reject packet with Reply-Message in (Bit, (B> (B> so that NAS can alert user in some fancy way when authentication fails. (B> But, it's not working so far. (B> When authentication succeeds, my freeradius sends Access-Accept packet (B> with Reply-Message in it, but this is not the way I want it to be. (B> (B> According to RFC, Access-Reject packet MAY contain Reply-Message. (B> I have searched this ML, and found out that freeradius normally contain (B> Reply-Message in Access-Reject packet if Reply-Message is configured. (B> (B> So my question is: (B> Why my freeradius doesn't put Reply-Message into Access-Reject packet, (Band (B> how can I fix this problem? (B> (B> I have attached some logs below. (B> I really need help. (B> Any information would be greatly appreciated. (B (BI have sent a patch for this, but probably it wasn't accepted. (BMaybe you now a better way to patch, so that it's accepted? (B (BHere's my patch, which works fine for my needs: (B--- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200 (B+++ src/main/auth.c 2003-08-27 16:02:34.0 +0200 (B@@ -805,15 +805,18 @@ (B * had a non-zero exit status. (B */ (Bif (umsg[0] == '\0') { (B-user_msg = "\r\nAccess denied (external check failed)."; (B+/* Don't tell NAS that auth failed by external check */ (B+user_msg = NULL; (B} else { (B user_msg = &umsg[0]; (B} (B (Brequest->reply->code = PW_AUTHENTICATION_REJECT; (B- tmp = pairmake("Reply-Message", user_msg, T_OP_SET); (B- (B- pairadd(&request->reply->vps, tmp); (B+ /* Only add reply-message when one is available */ (B+ if (user_msg != NULL) { (B+tmp = pairmake("Reply-Message", user_msg, T_OP_SET); (B+pairadd(&request->reply->vps, tmp); (B+ } (Brad_authlog("Login incorrect (external check failed)", (B request, 0); (B (B (B (BThor. (B (B (B- (BList info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Access-Reject has no Reply-Message
(BI want my freeradius to send Access-Reject packet with Reply-Message in it, (B (Bso that NAS can alert user in some fancy way when authentication fails. (BBut, it's not working so far. (BWhen authentication succeeds, my freeradius sends Access-Accept packet (Bwith Reply-Message in it, but this is not the way I want it to be. (B (BAccording to RFC, Access-Reject packet MAY contain Reply-Message. (BI have searched this ML, and found out that freeradius normally contain (BReply-Message in Access-Reject packet if Reply-Message is configured. (B (BSo my question is: (B Why my freeradius doesn't put Reply-Message into Access-Reject packet, and (Bhow can I fix this problem? (B (BI have attached some logs below. (BI really need help. (BAny information would be greatly appreciated. (B (B (BRegards, (BTakeru (B (B--- (B[version] (B[EMAIL PROTECTED] raddb]# radiusd -v (Bradiusd: FreeRADIUS Version 0.5, for host i686-redhat-linux-gnu, built on (BApr 4 (B 2002 at 04:33:11 (B (B (B[users] (B[EMAIL PROTECTED] Auth-Type :=Local, User-Password == "secret" (BService-Type = Framed-User, (BFramed-Protocol = PPP, (BFramed-IP-address = 192.168.200.1, (BFramed-IP-Netmask = 255.255.255.0, (BSession-Timeout = 30, (B Reply-Message="111", (B (B (B[radius.conf] (B[EMAIL PROTECTED] raddb]# more radiusd.conf (B## (B## radiusd.conf -- FreeRADIUS server configuration file. (B## (B## http://www.freeradius.org/ (B## $Id: radiusd.conf.in,v 1.87 2002/03/14 18:47:06 aland Exp $ (B## (B (B# The location of other config files and (B# logfiles are declared in this file (B# (B# Also general configuration for modules can be done (B# in this file, it is exported through the API to (B# modules that ask for it. (B# (B# The configuration variables defined here are of the form ${foo} (B# They are local to this file, and do not change from request to (B# request. (B# (B# The per-request variables are of the form %{Attribute-Name}, and (B# are taken from the values of the attribute in the incoming (B# request. See 'doc/variables.txt' for more information. (B (B# Stuff from autoconf (Bprefix = /usr (Bexec_prefix = /usr (Bsysconfdir = /etc (Blocalstatedir = /var (Bsbindir = /usr/sbin (Blogdir = ${localstatedir}/log/radius (Braddbdir = ${sysconfdir}/raddb (Bradacctdir = ${logdir}/radacct (B (B# Location of config and logfiles. (Bconfdir = ${raddbdir} (Brun_dir = ${localstatedir}/run (B (B# (B# libdir: Where to find the rlm_* modules. (B# (B# This should be automatically set at configuration time. (B# (B# If the server builds and installs, but fails at execution time (B# with an 'undefined symbol' error, then you can use the libdir (B# directive to work around the problem. (B# (B# The cause is usually that a library has been installed on your (B# system in a place where the dynamic linker CANNOT find it. When (B# executing as root (or another user), your personal environment MAY (B# be set up to allow the dynamic linker to find the library. When (B# executing as a daemon, FreeRADIUS MAY NOT have the same (B# personalized configuration. (B# (B# To work around the problem, find out which library contains that (Bsymbol, (B# and add the directory containing that library to the end of 'libdir', (B# with a colon separating the directory names. NO spaces are allowed. (B# (B# e.g. libdir = /usr/local/lib:/opt/package/lib (B# (B# If that does not work, then you can re-configure and re-build the (B# server to NOT use shared libraries, via: (B# (B# ./configure --disable-shared (B# make (B# make install (B# (Blibdir = /usr/lib (B (B# pidfile: Where to place the PID of the RADIUS server. (B# (B# The server may be signalled while it's running by using this (B# file. (B# (B# This file is written when ONLY running in daemon mode. (B# (B# e.g.: kill -HUP `cat /var/run/radiusd.pid` (B# (Bpidfile = ${run_dir}/radiusd.pid (B (B (B# user/group: The name (or #number) of the user/group to run radiusd as. (B# (B# We STRONGLY recommend that you run the server with as few permissions (B# as possible. That is, if you're not using shadow passwords, the (B# user and group items below should be set to 'nobody'. (B# (B#On SCO (ODT 3) use "user = nouser" and "group = nogroup". (B# (B# NOTE that some kernels refuse to setgid(group) (B# when the value of (unsigned)group is above 6; (B# don't use group nobody on these systems! (B# (B# On systems with shadow passwords, you might have to set 'group = shadow' (B# for the server to be
Re: Reply-Message from external authorization doesn't work
- Original Message - From: "Paul Hampson" <[EMAIL PROTECTED]> > > From: Thor Spruyt > > Sent: Monday, 1 September 2003 11:29 PM > > > - Original Message - > > From: <[EMAIL PROTECTED]> > > > Hi. > > > I'm using FreeRadius 0.9.0 on RedHat Linux 9. > > > I'm using external program for authorizing users. When authorization is > > not > > > allowed, I'd like to inform my user about reason of failure so I'm > > > returning Reply-Message:="Some reason" in output from my program. > > > But, Free Radius always returns "external check failed". > > > > The auth.c code always adds a reply-message attribute to the Auth-Reject > > when the external program returns something else than 0. > > I have patched the source code so it doesn't do this anymore. > > Why? I preferred the solution where it added the message, unless > another Reply-Message had already been set. Is there some reason > you don't want the Reply-Message set at all in this curcumstance? I noticed that even though my program was giving a Reply-Message, auth.c was still adding its own Reply-Message. In the Auth-Reject packet, there were two Reply-Message attributes, 1 from the External script and 1 added by from auth.c and my NAS was only interpreting the latter. So, since my program always returns a Reply-Message and I'm not that good in C programming, the best solution for me was to comment out the code that added the unneeded Reply-Message. > I guess I can see that you may not want people to know your > RADIUS server's on the blink... Indeed. Or even knowing that there's an external program executed. > Given the discussion about external programs returning 0 for > ACCEPT, and anything else being reject (with error message)... I don't think returning non-zero is always an error, since the script might decide to deny access. > Would it be better to only add the message if we get a -1 > back from the exec call, and let the script take care of it > if we get a >0 and hence reject the call? > > If the script fails (as opposed to rejects the request), will > it return anything other than -1? Maybe the best thing to do is make it configurable in radiusd.conf, sort of a default Reply-Message when the external program didn't supply one. Also, I would make auth.c aware of the difference between an error and a Reject by the external program. I don't know enough about exit codes to decide which exit code should mean a Reject and which should indicate an error. > Alternatively, convert to rlm_exec. Cases where it can't > match Exec-Program{,-Wait} are probably interesting to the > developers, since rlm_exec is (apparently) intended to replace > Exec-Program{,-Wait}. I wouldn't replace Exec-Program{,-Wait} with rlm_exec, since Exec-Program{,-Wait} has certain advantages over rlm_exec, but I'm certainly looking at the option. This whole thing is just a minor issue for me, but I think that *not* having to patch the source code is better :) Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reply-Message from external authorization doesn't work
> From: Thor Spruyt > Sent: Monday, 1 September 2003 11:29 PM > - Original Message - > From: <[EMAIL PROTECTED]> > > Hi. > > I'm using FreeRadius 0.9.0 on RedHat Linux 9. > > I'm using external program for authorizing users. When authorization is > not > > allowed, I'd like to inform my user about reason of failure so I'm > > returning Reply-Message:="Some reason" in output from my program. > > But, Free Radius always returns "external check failed". > > The auth.c code always adds a reply-message attribute to the Auth-Reject > when the external program returns something else than 0. > I have patched the source code so it doesn't do this anymore. Why? I preferred the solution where it added the message, unless another Reply-Message had already been set. Is there some reason you don't want the Reply-Message set at all in this curcumstance? I guess I can see that you may not want people to know your RADIUS server's on the blink... Given the discussion about external programs returning 0 for ACCEPT, and anything else being reject (with error message)... Would it be better to only add the message if we get a -1 back from the exec call, and let the script take care of it if we get a >0 and hence reject the call? If the script fails (as opposed to rejects the request), will it return anything other than -1? Alternatively, convert to rlm_exec. Cases where it can't match Exec-Program{,-Wait} are probably interesting to the developers, since rlm_exec is (apparently) intended to replace Exec-Program{,-Wait}. -- = Paul "TBBle" Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message from external authorization doesn't work
- Original Message - From: <[EMAIL PROTECTED]> > Hi. > I'm using FreeRadius 0.9.0 on RedHat Linux 9. > I'm using external program for authorizing users. When authorization is not > allowed, I'd like to inform my user about reason of failure so I'm > returning Reply-Message:="Some reason" in output from my program. > But, Free Radius always returns "external check failed". The auth.c code always adds a reply-message attribute to the Auth-Reject when the external program returns something else than 0. I have patched the source code so it doesn't do this anymore. Here's the patch: --- src/main/auth.c.orig 2003-08-27 15:57:17.0 +0200 +++ src/main/auth.c 2003-08-27 16:02:34.0 +0200 @@ -805,15 +805,18 @@ * had a non-zero exit status. */ if (umsg[0] == '\0') { -user_msg = "\r\nAccess denied (external check failed)."; +/* Don't tell NAS that auth failed by external check */ +user_msg = NULL; } else { user_msg = &umsg[0]; } request->reply->code = PW_AUTHENTICATION_REJECT; - tmp = pairmake("Reply-Message", user_msg, T_OP_SET); - - pairadd(&request->reply->vps, tmp); + /* Only add reply-message when one is available */ + if (user_msg != NULL) { +tmp = pairmake("Reply-Message", user_msg, T_OP_SET); +pairadd(&request->reply->vps, tmp); + } rad_authlog("Login incorrect (external check failed)", request, 0); You also might want to following patch, which gets rid of the 'waiting for semaphore' warning: --- src/main/threads.c.orig 2003-08-29 13:53:41.0 +0200 +++ src/main/threads.c 2003-08-29 13:54:22.0 +0200 @@ -185,7 +185,12 @@ */ DEBUG2("Thread %d waiting to be assigned a request", self->thread_num); + re_wait: if (sem_wait(&self->semaphore) != 0) { + /* Go back to waiting if ok */ + if (errno == EINTR) { +goto re_wait; + } radlog(L_ERR, "Thread %d failed waiting for semaphore: %s: Exiting\n", self->thread_num, strerror(errno)); break; Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message from external authorization doesn't work
Hi. I'm using FreeRadius 0.9.0 on RedHat Linux 9. I'm using external program for authorizing users. When authorization is not allowed, I'd like to inform my user about reason of failure so I'm returning Reply-Message:="Some reason" in output from my program. But, Free Radius always returns "external check failed". When I let user in, I send other attributes and it work, so my method of returning attributes seems to be OK. So, what am I doing wrong? Cheers, Michal Hobot - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message added by auth.c even when already there
Hi, Have a look at following code: if (exec_program && exec_wait) { r = radius_exec_program(exec_program, request, exec_wait, umsg, sizeof(umsg), request->packet->vps, &tmp); free(exec_program); exec_program = NULL; /* * Always add the value-pairs to the reply. */ pairmove(&request->reply->vps, &tmp); pairfree(&tmp); The value pairs have been added to the reply (my script outputs Reply-Message = "Your account has expired." if (r != 0) { /* * Error. radius_exec_program() returns -1 on * fork/exec errors, or >0 if the exec'ed program * had a non-zero exit status. */ Not sure why this is indicated as an error. If the script decides to rejects a user, it returns 1, but that's no error. if (umsg[0] == '\0') { user_msg = "\r\nAccess denied (external check failed)."; } else { user_msg = &umsg[0]; } I can understand this, there's no umsg, so provide a default Reply-Message. request->reply->code = PW_AUTHENTICATION_REJECT; tmp = pairmake("Reply-Message", user_msg, T_OP_SET); pairadd(&request->reply->vps, tmp); Shouldn't this only be added when there's not already a Reply-Message attribute in &request->reply->vps ?!? rad_authlog("Login incorrect (external check failed)", request, 0); return RLM_MODULE_REJECT; } } Thanx, Thor Spruyt System Engineer Mobile: +32 (0)475 67 22 65 Email: [EMAIL PROTECTED] Loose those wires ! www.sinfilo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message from Exec-Program-Wait with exit code 1
Hi, I went a bit further. Seems like tcpdump was only capturing the first 96 bytes of packets, so I used tcpdump -s 0 and came to the surprise that freeradius is actually sending an Access-Reject packet with 2 Reply-Message attributes. The first Reply-Message attribute in the packets contains the output from the external script. The second Reply-Message attribute in the packets contains "login denied (external check failed)" So the NAS is just taking the last Reply-Message attribute of the packet to display to the user. Any way to tell freeradius only to send the output from the external script? Thanx, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message from Exec-Program-Wait with exit code 1
> Remember that windows users can't see any message returned from radius > > Sergio Jose Ferreira > WGO Intenet > Catalao - Go - Brazil Well... I thought the -x would also tell me what it's putting in the Auth-Reject packet, as it tells me what it does in the Auth-Accept packet. So I now took ethereal and saw indeed the correct Reply-Message is being sent. Successfull login: Exec-Program: /root/auth.pl Exec-Program-Wait: value-pairs: Reply-Message = "Your account is valid until 2003-08-31 00:00:00.",Acct-Interim-Interval = 300,Idle-Timeout = 7200,Session-Timeout = 741631 Exec-Program: returned: 0 Login OK: [thor] (from client colubris port 1 cli 00-01-F4-ED-6E-87) Sending Access-Accept of id 16 to 192.168.100.2:1026 Reply-Message = "Your account is valid until 2003-08-31 00:00:00." Acct-Interim-Interval = 300 Idle-Timeout = 7200 Session-Timeout = 741631 Failed login: Exec-Program: /root/auth.pl Exec-Program-Wait: value-pairs: Reply-Message = "This account has expired since 2003-07-31 00:00:00." Exec-Program: returned: 1 Login incorrect (external check failed): [thor] (from client colubris port 1 cli 00-01-F4-ED-6E-87) Proposed addition: Sending Access-Reject of ... to ... Reply-Message = "Your account is valid until 2003-08-31 00:00:00." Regards, Thor. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Reply-Message from Exec-Program-Wait with exit code 1
> Hi, > > I have setup radius with mysql authentication and exec-program-wait for > authorization. > > Some examples of what the script does: > > If the user's account is ok, I output: > Reply-Message = "Your account is valid until xx/xx/xx." > Session-Timeout = 3600 > > If the user's has no more amount on his account, I output: > Reply-Message = "You have no amount left on your account." > and stop the script with exit code 1 > > If the user's account has expired, I output: > Reply-Message = "Your account has expired." > and stop the script with exit code 1 > > Now, when the script exits with code 1, freeradius sends an Auth-Reject > packet with the message "authentication failed (by external program)" > instead of the Reply-Message attribute. > > I tried with exiting with code 0 and Auth-Type = Reject, but then the login > is accepted instead of rejected. > > I just want the script to be able to reject a user while sending a proper > reply-message why he has been rejected. See this script example in PHP : Remember that windows users can't see any message returned from radius Sergio Jose Ferreira WGO Intenet Catalao - Go - Brazil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message from Exec-Program-Wait with exit code 1
Hmm... I just bought the Radius book from O'Reilly (ordered 1 month ago), but of course Murphy had to show up... I don't find anything in the book about Exec-Program(-Wait) !!! Anybody any idea ?!? > Hi, > > I have setup radius with mysql authentication and exec-program-wait for > authorization. > > Some examples of what the script does: > > If the user's account is ok, I output: > Reply-Message = "Your account is valid until xx/xx/xx." > Session-Timeout = 3600 > > If the user's has no more amount on his account, I output: > Reply-Message = "You have no amount left on your account." > and stop the script with exit code 1 > > If the user's account has expired, I output: > Reply-Message = "Your account has expired." > and stop the script with exit code 1 > > Now, when the script exits with code 1, freeradius sends an Auth-Reject > packet with the message "authentication failed (by external program)" > instead of the Reply-Message attribute. > > I tried with exiting with code 0 and Auth-Type = Reject, but then the login > is accepted instead of rejected. > > I just want the script to be able to reject a user while sending a proper > reply-message why he has been rejected. > > Thanx. > > Thor Spruyt > System Engineer > Mobile: +32 (0)475 67 22 65 > Email: [EMAIL PROTECTED] > Loose those wires ! www.sinfilo.com > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message from Exec-Program-Wait with exit code 1
Hi, I have setup radius with mysql authentication and exec-program-wait for authorization. Some examples of what the script does: If the user's account is ok, I output: Reply-Message = "Your account is valid until xx/xx/xx." Session-Timeout = 3600 If the user's has no more amount on his account, I output: Reply-Message = "You have no amount left on your account." and stop the script with exit code 1 If the user's account has expired, I output: Reply-Message = "Your account has expired." and stop the script with exit code 1 Now, when the script exits with code 1, freeradius sends an Auth-Reject packet with the message "authentication failed (by external program)" instead of the Reply-Message attribute. I tried with exiting with code 0 and Auth-Type = Reject, but then the login is accepted instead of rejected. I just want the script to be able to reject a user while sending a proper reply-message why he has been rejected. Thanx. Thor Spruyt System Engineer Mobile: +32 (0)475 67 22 65 Email: [EMAIL PROTECTED] Loose those wires ! www.sinfilo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
hi alan your answers always appear before the oirignal questions, which is a little bit suprising :-) e.g. to my email originally written at 20:50 +02:00 you answered at 11:06 -04:00. evidently it's not possible, provided that we have the same reference point. do you make reference to GMT or what? then, to your email: i would like to test it with AP340/250. which is the attribute to put into the user configuration in order to get assigned an ip by the radius server? :-) ciao artur Alan DeKok wrote: > > Artur Hecker <[EMAIL PROTECTED]> wrote: > > Alan: what do you think, if freeradius assigned an ip-address to the > > user in a corresponding radius attribute and the client (AP) would use > > it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER > > message, could it work? I'm not an expert in BOOTP/DHCP, but do you > > think something like this would be possible? > > It should be possible, but I don't know off-hand if any AP's work > that way. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
Artur Hecker <[EMAIL PROTECTED]> wrote: > Alan: what do you think, if freeradius assigned an ip-address to the > user in a corresponding radius attribute and the client (AP) would use > it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER > message, could it work? I'm not an expert in BOOTP/DHCP, but do you > think something like this would be possible? It should be possible, but I don't know off-hand if any AP's work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
hi sylvain i have to admit that i don't really understand the first part of your question. but, in the case you are using EAP/MD5 try to read the FAQ under http://www.freeradius.org/doc/EAP-MD5.html and look for Reply-Message. Could it be this kind of problem? for the second part, it's interesting - i didn't try it but, as alan, i asked myself if it is possible some time ago and i promptly came up with a solution which i'm not sure about. Alan: what do you think, if freeradius assigned an ip-address to the user in a corresponding radius attribute and the client (AP) would use it for the client's DHCP/BOOTP relay which then would emit an DHCPOFFER message, could it work? I'm not an expert in BOOTP/DHCP, but do you think something like this would be possible? ciao artur Alan DeKok wrote: > > =?iso-8859-1?q?Sylvain=20Masnada?= <[EMAIL PROTECTED]> wrote: > > I'd like to know why the "reply-message" attribute is sent by > > freeradius in a access-reject packet. I use this attribute to > > welcome people who connected themselves on my wireless network. But > > with xsupplicant, this access-reject disconnects my user, who > > reconnects immediately and is disconnected and reconnected and ... > > I don't think that the Reply-Message has anything to do with it. > > If the user is rejected, they can try again immediately. After some > number of retries, the AP will deny them access. See the AP > configuration for details. > > > I'd like to know if my AP which is a cisco AP350 can cause me > > troubles when I try to assign an ip to the users. > > So far as I know, it can't be done. The users are authenticating to > the AP (and then FreeRADIUS) through the EAP protocol, which doesn't > support setting the IP address. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
=?iso-8859-1?q?Sylvain=20Masnada?= <[EMAIL PROTECTED]> wrote: > I'd like to know why the "reply-message" attribute is sent by > freeradius in a access-reject packet. I use this attribute to > welcome people who connected themselves on my wireless network. But > with xsupplicant, this access-reject disconnects my user, who > reconnects immediately and is disconnected and reconnected and ... I don't think that the Reply-Message has anything to do with it. If the user is rejected, they can try again immediately. After some number of retries, the AP will deny them access. See the AP configuration for details. > I'd like to know if my AP which is a cisco AP350 can cause me > troubles when I try to assign an ip to the users. So far as I know, it can't be done. The users are authenticating to the AP (and then FreeRADIUS) through the EAP protocol, which doesn't support setting the IP address. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply-message
hi everybody, I'd like to know why the "reply-message" attribute is sent by freeradius in a access-reject packet. I use this attribute to welcome people who connected themselves on my wireless network. But with xsupplicant, this access-reject disconnects my user, who reconnects immediately and is disconnected and reconnected and ... I'd like to know if my AP which is a cisco AP350 can cause me troubles when I try to assign an ip to the users. My user is configured like steve example in users. Freeradius sends framed-IP-Address, Netmask ... correctly (freeradius debug tell me it) but my client has never an IP assigned as I would like. What have I to do to assign an IP to my users? Please help me. Thx in advance Sylvain ___ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote: > > Dear developers, how about customizable messages? Something like > > this in radiusd.conf: > > > > messages { > > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n" > > timespan_violation = "You are calling outside allowed timespan\r\n" > >... > >} > > Sure. Almost done. I could get rid of radius_xlat calls, if the "user_msg == NULL" check is removed around the following block (auth.c, lines 850-865): /* * Filter (possibly multiple) Reply-Message attributes * through radius_xlat, modifying them in place. */ if (user_msg == NULL) { reply_item = pairfind(request->reply->vps, PW_REPLY_MESSAGE); while (reply_item) { radius_xlat(buf, sizeof(reply_item->strvalue), (char *)reply_item->strvalue, request, NULL); strNcpy((char *)reply_item->strvalue, buf, sizeof(reply_item->strvalue)); reply_item->length = strlen((char *)reply_item->strvalue); user_msg = NULL; reply_item = pairfind(reply_item->next, PW_REPLY_MESSAGE); } } There's no more need for it, I think. Also, the mentioned xlat.c patch should be applied too to allow expansion of %{check:...} attributes. Local tests are OK. -- Fduch M. Pravking Index: src/include/radiusd.h === RCS file: /source/radiusd/src/include/radiusd.h,v retrieving revision 1.140 diff -u -p -r1.140 radiusd.h --- src/include/radiusd.h 23 Jul 2003 19:50:38 - 1.140 +++ src/include/radiusd.h 29 Jul 2003 21:28:42 - @@ -172,6 +172,15 @@ typedef struct main_config_t { REALM *realms; } MAIN_CONFIG_T; +typedef struct messages_config_t { + const char *expiration; + const char *double_login; + const char *multiple_login; + const char *timespan_violation; + const char *exec_failure; + const char *auth_failure; +} MESSAGE_CONFIG_T; + #define DEBUG if(debug_flag)log_debug #define DEBUG2 if (debug_flag > 1)log_debug @@ -364,6 +373,7 @@ extern int total_active_threads /* mainconfig.h */ /* Define a global config structure */ extern struct main_config_t mainconfig; +extern struct messages_config_t server_messages; int read_mainconfig(int reload); int free_mainconfig(void); Index: src/main/mainconfig.c === RCS file: /source/radiusd/src/main/mainconfig.c,v retrieving revision 1.21 diff -u -p -r1.21 mainconfig.c --- src/main/mainconfig.c 22 Jul 2003 18:16:23 - 1.21 +++ src/main/mainconfig.c 29 Jul 2003 21:30:39 - @@ -45,6 +45,7 @@ struct main_config_t mainconfig; +struct messages_config_t server_messages; /* * Local variables for stuff. @@ -83,6 +84,25 @@ static CONF_PARSER security_config[] = { }; /* + * A list of global messages sent back in certain cases + */ +static CONF_PARSER messages_config[] = { + { "expiration", PW_TYPE_STRING_PTR, 0, &server_messages.expiration, + "Password Has Expired\r\n" }, + { "double_login", PW_TYPE_STRING_PTR, 0, &server_messages.double_login, + "\r\nYou are already logged in - access denied\r\n" }, + { "multiple_login", PW_TYPE_STRING_PTR, 0, &server_messages.multiple_login, + "\r\nYou are already logged in %{check:Simultaneous-Use} times - access denied\r\n" }, + { "timespan_violation", PW_TYPE_STRING_PTR, 0, &server_messages.timespan_violation, + "You are calling outside your allowed timespan\r\n" }, + { "exec_failure", PW_TYPE_STRING_PTR, 0, &server_messages.exec_failure, + "\r\nAccess denied (external check failed).\r\n" }, + { "auth_failure", PW_TYPE_STRING_PTR, 0, &server_messages.auth_failure, + "" }, + { NULL, -1, 0, NULL, NULL } +}; + +/* * A mapping of configuration file names to internal variables */ static CONF_PARSER server_config[] = { @@ -126,6 +146,7 @@ static CONF_PARSER server_config[] = { { "proxy_requests", PW_TYPE_BOOLEAN, 0, &mainconfig.proxy_requests, "yes" }, { "proxy", PW_TYPE_SUBSECTION, 0, proxy_config, NULL }, { "security", PW_TYPE_SUBSECTION, 0, security_config, NULL }, + { "messages", PW_TYPE_SUBSECTION, 0, messages_config, NULL }, { "debug_level", PW_TYPE_INTEGER, 0, &mainconfig.debug_l
Re: Reply message from the counter module
On Tue, Jul 29, 2003 at 10:52:59AM -0400, Alan DeKok wrote: > "Alexander M. Pravking" <[EMAIL PROTECTED]> wrote: > > > > By the way, %{Simultaneuos-Use} will not work, since there's no way to > > > > expand check items from the request... > > > > > > Nonsense. See 'doc/variables.txt' > > > > Huh? > > Hmm... if it's not there, then it's trivial enough to add. ~10 > lines in src/main/xlat.c should do it. Here's a patch. I used "check:" as a prefix, maybe someone suggests more reasonable one? Index: doc/variables.txt === RCS file: /source/radiusd/doc/variables.txt,v retrieving revision 1.7 diff -u -p -r1.7 variables.txt --- doc/variables.txt 11 Apr 2003 17:54:58 - 1.7 +++ doc/variables.txt 29 Jul 2003 16:16:06 - @@ -4,6 +4,8 @@ The variables defined by the server are: in request %{request:Attribute-Name} Corresponding value for Attribute-Name in request + %{check:Attribute-Name} Corresponding value for Attribute-Name + in check items %{reply:Attribute-Name} Corresponding value for Attribute-Name in reply %{proxy-reply:Attribute-Name} Corresponding value for Attribute-Name @@ -12,9 +14,9 @@ The variables defined by the server are: %{config:section.subsection.item} Corresponding value in 'radiusd.conf' for the string value of that item. - The %{config:...} variables should be used VERY carefully, as they -may leak secret information from your RADIUS server, if you use them -in reply attributes to the NAS! + The %{config:...} and %{check:... } variables should be used VERY +carefully, as they may leak secret information from your RADIUS server, +if you use them in reply attributes to the NAS! e.g. Index: src/main/xlat.c === RCS file: /source/radiusd/src/main/xlat.c,v retrieving revision 1.55 diff -u -p -r1.55 xlat.c --- src/main/xlat.c 18 Mar 2003 05:50:54 - 1.55 +++ src/main/xlat.c 29 Jul 2003 16:17:53 - @@ -232,6 +232,16 @@ static void decode_attribute(const char } /* +* Find an attibute from the config items +*/ + } else if (strncasecmp(attrname,"check:",6) == 0) { + if((tmpda = dict_attrbyname(&attrname[6])) && + (tmppair = pairfind(request->config_items, tmpda->attr))) { + q += valuepair2str(q,freespace,tmppair,tmpda->type, func); + found = 1; + } + + /* * Find an attribute from the request. */ } else if (strncasecmp(attrname,"request:",8) == 0) { -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote: > > > By the way, %{Simultaneuos-Use} will not work, since there's no way to > > > expand check items from the request... > > > > Nonsense. See 'doc/variables.txt' > > Huh? Hmm... if it's not there, then it's trivial enough to add. ~10 lines in src/main/xlat.c should do it. > Wrong question - wrong answer... I mean, which one should be used in > radiusd code when adding the Reply-Message? Hmm, what's the matter with > me? The code already uses some operators, so I'll simply leave them. > Right? pairadd() Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Mon, Jul 28, 2003 at 08:11:26PM -0400, Alan DeKok wrote: > "Alexander M. Pravking" <[EMAIL PROTECTED]> wrote: > > By the way, %{Simultaneuos-Use} will not work, since there's no way to > > expand check items from the request... > > Nonsense. See 'doc/variables.txt' Huh? %{Attribute-Name} Corresponding value for %Attribute-Name in request %{request:Attribute-Name} Corresponding value for %Attribute-Name in request %{reply:Attribute-Name} Corresponding value for %Attribute-Name in reply %{proxy-reply:Attribute-Name} Corresponding value for %Attribute-Name in the proxy reply (if it exists) %{config:section.subsection.item} Corresponding value in 'radiusd.conf' for the string value of that item. The xlat sources says the same. Did I miss something? > > One more question. Which operator should I use to add Reply-Message? > > ":=" or "=" or "+="? > > It depends if you want one, or more than one. See the 'man' page > for the 'users' file. Wrong question - wrong answer... I mean, which one should be used in radiusd code when adding the Reply-Message? Hmm, what's the matter with me? The code already uses some operators, so I'll simply leave them. Right? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote: > By the way, %{Simultaneuos-Use} will not work, since there's no way to > expand check items from the request... Nonsense. See 'doc/variables.txt' > How about, say, new integer attribute like FreeRADIUS-Reply-Code, > which will be automatically replaced with a corresponding Reply-Message > just before reply? However, in this case we still need some mapping > from FreeRADIUS-Reply-Code to Reply-Message, other than dictionary. No. You should be able to use messages from the configuration inside of a Reply-MEssage attribute, but any kind of "mapping" is more trouble than its worth. > And FreeRADIUS sends attributes no matter of their length. > A small patch solves this (works for me, please, test it): That's a bug. I'll add the fix. > One more question. Which operator should I use to add Reply-Message? > ":=" or "=" or "+="? It depends if you want one, or more than one. See the 'man' page for the 'users' file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Mon, Jul 28, 2003 at 02:02:22PM -0400, Alan DeKok wrote: > > Dear developers, how about customizable messages? Something like > > this in radiusd.conf: > > > > messages { > > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n" > > timespan_violation = "You are calling outside allowed timespan\r\n" > >... > >} > > Sure. By the way, %{Simultaneuos-Use} will not work, since there's no way to expand check items from the request... > > I probably could work on that, but I need some guidelines: > > 1. Should it be a set of static variables, or searchable list like > >dictionary? > > I'm not sure what you mean by that. How about, say, new integer attribute like FreeRADIUS-Reply-Code, which will be automatically replaced with a corresponding Reply-Message just before reply? However, in this case we still need some mapping from FreeRADIUS-Reply-Code to Reply-Message, other than dictionary. I dislike this idea more and more... > > 2. Should it be per-module configuration, or global? > > Many messages are global. They should be in a global config. Well, I'll try global messages first. I always felt myself uncomfortable with silent auth-failures, so it's reasonable to have auth_failure message, IMHO. However, some people might want to leave it silent, so maybe it should be empty by default. But there's an issue with sending empty strings in FreeRADIUS currently. RFC 2865 says: string1-253 octets containing binary data (values 0 through 255 decimal, inclusive). Strings of length zero (0) MUST NOT be sent; omit the entire attribute instead. And FreeRADIUS sends attributes no matter of their length. A small patch solves this (works for me, please, test it): Index: src/lib/radius.c === RCS file: /source/radiusd/src/lib/radius.c,v retrieving revision 1.101 diff -u -p -r1.101 radius.c --- src/lib/radius.c23 Jul 2003 19:44:35 - 1.101 +++ src/lib/radius.c28 Jul 2003 22:37:34 - @@ -226,6 +226,14 @@ int rad_send(RADIUS_PACKET *packet, cons } /* + *Don't send empty attributes, omit 'em + */ + if (((reply->type == PW_TYPE_ABINARY) || + (reply->type == PW_TYPE_STRING) || + (reply->type == PW_TYPE_OCTETS)) && + reply->length == 0) + continue; + /* *Print out ONLY the attributes which * we're sending over the wire, and print *them out BEFORE they're encrypted. One more question. Which operator should I use to add Reply-Message? ":=" or "=" or "+="? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
"Alexander M. Pravking" <[EMAIL PROTECTED]> wrote: > Yeah, it's not the only place where configurable messages could be > useful. I've already suggested such a thing, but the silence was an > answer... ... > Dear developers, how about customizable messages? Something like > this in radiusd.conf: > > messages { > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n" > timespan_violation = "You are calling outside allowed timespan\r\n" >... >} Sure. > I probably could work on that, but I need some guidelines: > 1. Should it be a set of static variables, or searchable list like >dictionary? I'm not sure what you mean by that. > 2. Should it be per-module configuration, or global? Many messages are global. They should be in a global config. > 3. Where to put these parameters in config? In a new 'messages' block. > 4. Recommended naming conventions? Something short, but long enough to be reasonably obvious. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message from the counter module
On Sat, Jul 26, 2003 at 07:09:38PM -0700, Alex Chen wrote: > I finally get the counter module to work but there is a small question > about the reply message issued by the counter when the accumulated time > exceeds > the value of the 'check-name' attribute. I set the 'reset' to 'never' and > when the limit, say, 60 seconds, is reached, the reply message says: > > Reply-Message = "Your maximum never usage time has been reached" > > It is not a problem but does not sound normal. > > May I suggest, in the next release, that you make the reply message a > user configurable item in the counter module, e.g. > > counter { > filename = ${raddbdir}/counterdb > key = User-Name > count-attribute = Acct-Session-Time > reset = never > reply-message = "Your maximum access time has been reached" > > } Yeah, it's not the only place where configurable messages could be useful. I've already suggested such a thing, but the silence was an answer... If anyone of developers got interested, see http://lists.cistron.nl/archives/freeradius-users/2003/06/frm00625.html -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply message from the counter module
I finally get the counter module to work but there is a small question about the reply message issued by the counter when the accumulated time exceeds the value of the 'check-name' attribute. I set the 'reset' to 'never' and when the limit, say, 60 seconds, is reached, the reply message says: Reply-Message = "Your maximum never usage time has been reached" It is not a problem but does not sound normal. May I suggest, in the next release, that you make the reply message a user configurable item in the counter module, e.g. counter { filename = ${raddbdir}/counterdb key = User-Name count-attribute = Acct-Session-Time reset = never reply-message = "Your maximum access time has been reached" } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Hi Chris I am sorry I don't have more information, maybe someone else does though. I don't currently use Radius for PPP Authentication and it has been 3 years since I used Windows on my desktop :-) Maybe you can find something from google. Cheers Peter On Tue, 22 Jul 2003 09:48 am, Chris Miller wrote: > Peter, thanks for the reply. I did some testing with PowerDUN and did not > receive any specific error message. This doesn't surprise me with out > Livingston pm3s, but our wholesale partner has more modern equipment I > would expect to support this feature (i.e Cisco, TNT, Lucent). > > I've also been able to find little information on how this works or what > vendors support this. From what I gather the NAS passes the reply on to > the client via PPP. I would think this would be the default but perhaps > it's something that specifically needs to be enabled. Do you have any > further information you can point me to? > > Regards, > Chris > > Chris Miller > NetGate Internet > > On Sun, 20 Jul 2003, Peter Nixon wrote: > > On Sun July 20 2003 01:26, Chris Miller wrote: > > > I've noticed that the Reply-Message returned from the radius server is > > > not shown in the Windows DUN error message when access is rejected. > > > Where does the failure occur? Is this a matter of the NAS not returning > > > this message to the DUN client, or is this just typical of Windows? Any > > > way to override this behavior? It would be nice that a user knows their > > > account has been disabled instead of the generic "username or password > > > incorrect". > > > > This is windows behaviour. Unless you use PowerDUN or one of the > > replacement dialers you will not see any returned messages. > > > > -- > > > > Peter Nixon > > http://www.peternixon.net/ > > PGP Key: http://www.peternixon.net/public.asc > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Peter, thanks for the reply. I did some testing with PowerDUN and did not receive any specific error message. This doesn't surprise me with out Livingston pm3s, but our wholesale partner has more modern equipment I would expect to support this feature (i.e Cisco, TNT, Lucent). I've also been able to find little information on how this works or what vendors support this. From what I gather the NAS passes the reply on to the client via PPP. I would think this would be the default but perhaps it's something that specifically needs to be enabled. Do you have any further information you can point me to? Regards, Chris Chris Miller NetGate Internet On Sun, 20 Jul 2003, Peter Nixon wrote: > On Sun July 20 2003 01:26, Chris Miller wrote: > > I've noticed that the Reply-Message returned from the radius server is not > > shown in the Windows DUN error message when access is rejected. Where does > > the failure occur? Is this a matter of the NAS not returning this > > message to the DUN client, or is this just typical of Windows? Any way to > > override this behavior? It would be nice that a user knows their account > > has been disabled instead of the generic "username or password incorrect". > > This is windows behaviour. Unless you use PowerDUN or one of the replacement > dialers you will not see any returned messages. > > -- > > Peter Nixon > http://www.peternixon.net/ > PGP Key: http://www.peternixon.net/public.asc > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
On Sun July 20 2003 01:26, Chris Miller wrote: > I've noticed that the Reply-Message returned from the radius server is not > shown in the Windows DUN error message when access is rejected. Where does > the failure occur? Is this a matter of the NAS not returning this > message to the DUN client, or is this just typical of Windows? Any way to > override this behavior? It would be nice that a user knows their account > has been disabled instead of the generic "username or password incorrect". This is windows behaviour. Unless you use PowerDUN or one of the replacement dialers you will not see any returned messages. -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message
I've noticed that the Reply-Message returned from the radius server is not shown in the Windows DUN error message when access is rejected. Where does the failure occur? Is this a matter of the NAS not returning this message to the DUN client, or is this just typical of Windows? Any way to override this behavior? It would be nice that a user knows their account has been disabled instead of the generic "username or password incorrect". Regards, Chris Chris Miller NetGate Internet - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use reply-message
Alexander, Users' native language is Turkish which uses Latin alphabet so,luckily, ascii characters will do good. And yes it would be nice to have customizable messages :) Thanks, Gunce On Fri, 20 Jun 2003, Alexander M. Pravking wrote: > On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote: > > Dear list, > > I am using (v0.8.1) > > simultaneous-use attribute with Bay RAC 8000 without problems. > > Users also get and see the "You are already logged in - access denied" > > message through NAS-Prompt when they are trying to connect beyond the > > limit. To make life easier for hot-line staff, we should have it in > > native language. > > Are you sure your NAS won't go crazy because of non-ascii characters? > Don't you expect charset problems? > > > I don't know if somebody ever needed it.I looked for > > the this reply message in radiusd.conf,radcheck,could not see.. > > It's hard-coded currently, so you can edit the sources and then recompile > radius. > > > Dear developers, how about customizable messages? Something like this in > radiusd.conf: > messages { > multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n" > timespan_violation = "You are calling outside allowed timespan\r\n" > ... > } > > I probably could work on that, but I need some guidelines: > 1. Should it be a set of static variables, or searchable list like >dictionary? > 2. Should it be per-module configuration, or global? > 3. Where to put these parameters in config? > 4. Recommended naming conventions? > > > -- > Fduch M. Pravking > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: simultaneous-use reply-message
On Fri, Jun 20, 2003 at 11:57:46AM +0300, gunce ciftci wrote: > Dear list, > I am using (v0.8.1) > simultaneous-use attribute with Bay RAC 8000 without problems. > Users also get and see the "You are already logged in - access denied" > message through NAS-Prompt when they are trying to connect beyond the > limit. To make life easier for hot-line staff, we should have it in > native language. Are you sure your NAS won't go crazy because of non-ascii characters? Don't you expect charset problems? > I don't know if somebody ever needed it.I looked for > the this reply message in radiusd.conf,radcheck,could not see.. It's hard-coded currently, so you can edit the sources and then recompile radius. Dear developers, how about customizable messages? Something like this in radiusd.conf: messages { multiple_login = "You are already logged in %{Simultaneous-Use} times\r\n" timespan_violation = "You are calling outside allowed timespan\r\n" ... } I probably could work on that, but I need some guidelines: 1. Should it be a set of static variables, or searchable list like dictionary? 2. Should it be per-module configuration, or global? 3. Where to put these parameters in config? 4. Recommended naming conventions? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
simultaneous-use reply-message
Dear list, I am using (v0.8.1) simultaneous-use attribute with Bay RAC 8000 without problems. Users also get and see the "You are already logged in - access denied" message through NAS-Prompt when they are trying to connect beyond the limit. To make life easier for hot-line staff, we should have it in native language.I don't know if somebody ever needed it.I looked for the this reply message in radiusd.conf,radcheck,could not see.. Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Where is this reply message defined, so that admins can change/add it? Regards, Gunce Gunce Ciftci Middle East Technical University Computer Center [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change the 'Status Server' Reply Message
"Stefan Auweiler" <[EMAIL PROTECTED]> wrote: > I'd like to extend the 'Status Server' Reply Message with the admins = > contact > information > Does anybody has an advice or a readme? Source code modifications. See 'src/main/radiusd.c' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to change the 'Status Server' Reply Message
All, I'd like to extend the 'Status Server' Reply Message with the admins contact information Does anybody has an advice or a readme? My environment: SuSe 8.1, FreeRADIUS 0.8.1 Test with NTRadPing Thanks Stefan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: multiple attributes in reply message
"Sunny Wang" <[EMAIL PROTECTED]> wrote: > I'm using FreeRADIUS Version 0.8.1, I would like to be able to get multiple > attributes of the same type in accept reply message. Can someone let me > know how do I do that? Read the 'man' page for the 'users' file. > Filter-Id = "in: abc", > Filter-Id = "out: xyz" You want: ... Filter-Id += "in: abc", Filter-Id += "out: xyz" ... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
multiple attributes in reply message
Hi, I'm using FreeRADIUS Version 0.8.1, I would like to be able to get multiple attributes of the same type in accept reply message. Can someone let me know how do I do that? Here is my record: [EMAIL PROTECTED] User-Password == "blah" Service-Type = Framed-User, Framed-IP-Address = 10.1.1.12, Filter-Id = "in: abc", Filter-Id = "out: xyz" FreeRADIUS server currently is only sending me Filter-Id = "in: abc" but not Filter-Id = "out: xyz". Thanks for the help. --Sunny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Remus Anca <[EMAIL PROTECTED]> wrote: > did succeed someone in 'put' messages, send by freeradius with > Reply-Message attribute, on windows screen? > > i know it's a windows problem, but how can i trick it? Read the FAQ? It's not rocket science. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
--On 21 November 2002 16:50 +0200 Remus Anca <[EMAIL PROTECTED]> wrote: did succeed someone in 'put' messages, send by freeradius with Reply-Message attribute, on windows screen? i know it's a windows problem, but how can i trick it? thx. i think this is very useful for all ISP admin's -- Remus I don't think any of the actual Windows PPP stacks support this, i.e. it's not going to work :( I can't see any way you can work around it either, if it's not support by the client - it's not supported :-( [And how many ISP's wish it was supported? :)] -Kp - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message
did succeed someone in 'put' messages, send by freeradius with Reply-Message attribute, on windows screen? i know it's a windows problem, but how can i trick it? thx. i think this is very useful for all ISP admin's -- Remus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
Fduch the Pravking <[EMAIL PROTECTED]> wrote: > So, if the reject_delay = 0, radius sends the Reply-Message > in Access-Reject back to the NAS, > and if reject_delay = 1, does not. That's a bug. I would think that rad_respond(), in src/main/radiusd.c is to blame. It shouldn't clean up request->reply->vps if request->reply->data is NULL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote: > At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote: > >By the way, how can I say "Any number of such attribute" > >for rlm_attr_filter? > > It should already do that. It doesn't track state, so if you permit > 'Ascend-Data-Filter ~= ".*"' then it will allow through all attributes > that match that rule. It doesn't do that. raddb/attrs: DEFAULT Service-Type == Framed-User, Service-Type == Login-User, Login-Service == Telnet, Login-Service == Rlogin, Login-Service == TCP-Clear, Login-TCP-Port <= 65536, Framed-IP-Address =~ ".*", Framed-IP-Netmask == 255.255.255.255, Framed-Protocol == PPP, Framed-Protocol == SLIP, Framed-Compression == Van-Jacobson-TCP-IP, Framed-MTU >= 576, Framed-Filter-ID =~ ".*", Reply-Message =~ ".*", Session-Timeout <= 28800, Idle-Timeout <= 600, Port-Limit <= 2, Cisco-AVPair =~ ".*", Fall-Through = Yes And here are logs: rad_recv: Access-Request packet from host :2893, id=244, length=64 Thread 1 assigned request 35 --- Walking the entire request list --- Waking up in 4 seconds... Thread 1 handling request 35, (5 handled so far) User-Name = "stricted-user@realm" User-Password = "" NAS-IP-Address = "" NAS-Port-Id = "3" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "attr_filter" returns noop modcall[authorize]: module "files" returns notfound rlm_realm: Proxying request from user register to realm realm modcall[authorize]: module "suffix" returns updated modcall: group authorize returns updated Sending Access-Request of id 13 to User-Name = "stricted-user@realm" User-Password = "" NAS-IP-Address = "" NAS-Port-Id = "3" Proxy-State = "244" Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host , id=13, length=1241 Thread 2 assigned request 35 Waking up in 4 seconds... Thread 2 handling request 35, (5 handled so far) User-Name = "stricted-user@realm" User-Password = "" NAS-IP-Address = "" Proxy-State = 0x323434 NAS-Identifier = "" Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#1=permit udp..." Cisco-AVPair = "ip:inacl#2=permit udp..." Cisco-AVPair = "ip:inacl#3=permit udp..." Cisco-AVPair = "ip:inacl#4=permit udp..." Cisco-AVPair = "ip:inacl#5=permit udp..." Cisco-AVPair = "ip:inacl#6=permit udp..." Cisco-AVPair = "ip:inacl#7=permit udp..." Cisco-AVPair = "ip:inacl#8=permit tcp..." Cisco-AVPair = "ip:inacl#9=permit tcp..." Cisco-AVPair = "ip:inacl#10=deny ip any any" Cisco-AVPair = "ip:outacl#1=permit udp..." Cisco-AVPair = "ip:outacl#2=permit udp..." Cisco-AVPair = "ip:outacl#3=permit udp..." Cisco-AVPair = "ip:outacl#4=permit udp..." Cisco-AVPair = "ip:outacl#5=permit udp..." Cisco-AVPair = "ip:outacl#6=permit udp..." Cisco-AVPair = "ip:outacl#7=permit udp..." Cisco-AVPair = "ip:outacl#8=permit tcp..." Cisco-AVPair = "ip:outacl#9=permit tcp..." Cisco-AVPair = "ip:outacl#10=deny ip any any" modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok attr_filter: Matched entry DEFAULT at line 84 modcall[authorize]: module "attr_filter" returns updated modcall[authorize]: module "files" returns notfound modcall[authorize]: module "suffix" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [stricted-user@realm] (from nas port 0) Sending Access-Accept of id 244 to :2893 Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = "ip:inacl#1=permit udp..." Finished request 35 Going to the next request So, only the first Cisco-AVPair attribute is sent back to the NAS. The only way I see is to add as many 'Cisco-AVPair =~ ".*"' lines to raddb/attrs as it seems to be possible :( Any comments or suggestions? -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
On Thu, Mar 28, 2002 at 11:56:32PM -0500, Alan DeKok wrote: > Fduch the Pravking <[EMAIL PROTECTED]> wrote: > > We have freeradius-0.5 doing only proxy. > > And the problem is: > > when radius receives Access-Reject packet from remote server, > > it proxies it back to the NAS without any attributes, > > Reply-Message in particular. > > Read the RFC's. That's how RADIUS is *supposed* to work. I've found nothing in RFC 2865 about any restrictions for Access-Reject but this: If any condition is not met, the RADIUS server sends an "Access- Reject" response indicating that this user request is invalid. If desired, the server MAY include a text message in the Access-Reject which MAY be displayed by the client to the user. No other Attributes (except Proxy-State) are permitted in an Access-Reject. So, Reply-Message MAY be present in Access-Reject, and it is PRESENT in the packet from remote server, but is not being sent back to NAS by this proxy radius. Correct me if I wrong, please. Here is a bug, I think, and it comes from delaying the Access-Reject: On Thu, Mar 28, 2002 at 09:42:48AM -0600, Chris Parker wrote: > At 06:18 PM 3/28/2002 +0300, Fduch the Pravking wrote: > >And what does "Delaying request 91752 for 1 seconds" mean? > > It's a throttling feature. Some radius clients can cause what amounts > to a DOS by repeatedly requesting authentication for failed users. IE, > user gets rejected, nas sends another request, user gets rejected, nas > sends another request. This was for a PPPoE/DSL authetication, so it > was instantaneous. A configurable delay before sending the Reject > back to the NAS allows the server to effectively throttle the rate at > which that type of NAS can hammer it with requests. If you set it to > zero, it disables the delay all-together. > > This is in the 'security' section of the 'radiusd.conf' file. Sorry, Chris, I'm slightly blind :) When I set reject_delay = 0 in the security section of radiusd.conf, the same Access-Request packet shows the following: % radtest sltest bad_passwd localhost:1645 3 testing123 Sending Access-Request of id 68 to 127.0.0.1:1645 User-Name = "sltest" User-Password = "U\356~\271\354X\213http://www.freeradius.org/list/users.html
Re: Access-Reject proxied without Reply-Message
Fduch the Pravking <[EMAIL PROTECTED]> wrote: > We have freeradius-0.5 doing only proxy. > And the problem is: > when radius receives Access-Reject packet from remote server, > it proxies it back to the NAS without any attributes, > Reply-Message in particular. Read the RFC's. That's how RADIUS is *supposed* to work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change Reply-Message attribute if authentication is failed
"Sergey Kodentsev" <[EMAIL PROTECTED]> wrote: > Is it possible to add this feature in the next version of FreeRadius? Sure. Supply a patch, and it will be integrated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change Reply-Message attribute if authentication is failed
Hello, Alan! a> "Sergey Kodentsev" <[EMAIL PROTECTED]> wrote: >> How can I change or remove "Reply-Message" attribute if >> authentication is failed. a> You can't, sorry. Is it possible to add this feature in the next version of FreeRadius? Sergey Kodentsev. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to change Reply-Message attribute if authentication is failed
"Sergey Kodentsev" <[EMAIL PROTECTED]> wrote: > How can I change or remove "Reply-Message" attribute if authentication is > failed. You can't, sorry. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to change Reply-Message attribute if authentication is failed
Hello! The part of my user file is given below. DEFAULT Auth-Type := System Reply-Message := "Test message", Fall-Through = Yes . How can I change or remove "Reply-Message" attribute if authentication is failed. Sergey Kodentsev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ignored Reply-Message from Exec-Program-Wait
Hi List, Can anybody tell my why Reply-Message returned by Exec-Program was ignored? Here is debug: Exec-Program-Wait: value-pairs: Reply-Message := "Current hours restriction" Exec-Program: returned: 10 Sending Access-Reject of id 243 to 212.36.0.225:1645 Reply-Message = "\r\nAccess denied (external check failed)." Finished request 256 -- B - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html