Re: Reply-Message in freeradius
On 6 Oct 2011, at 04:27, gary wrote:
> Hi
> One more question.
> How about if user name is wrong? eg: send reply message "user name not found"
sql
if(notfound){
update reply {
Reply-Message = 'User-name not found'
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
Hi
One more question.
How about if user name is wrong? eg: send reply message "user name not found"
Best Regards
Gary
- Original Message -
From: Arran Cudbard-Bell
To: Dagia Dorjsuren ; FreeRadius users mailing list
Sent: Wednesday, October 05, 2011 10:34 PM
Subject: Re: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello, How to add Reply-Message in freeradius? anyone advise me pls.For
example : I would like to send "Your username or password is wrong" message to
NAS if the someone to access to my freeradius via wrong password from that
NASraddb/sites-available/default
post-auth {
Post-Auth-Type REJECT {
update reply {
Reply-Message = "Your password is wrong, prepare to be eaten by flying
monkeys."
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On Wed, Oct 5, 2011 at 9:23 PM, Dagia Dorjsuren wrote:
> Hello,
>
> How to add Reply-Message in freeradius? anyone advise me pls.
post-auth {
...
update reply {
Reply-Message = "Your message here\r\n"
}
...
}
>
> For example : I would like to send "Your username or password is wrong"
> message to NAS if the someone to access to my freeradius via wrong password
> from that NAS
That's tricky. Checking for reject is easy enough (see example in the
default post-auth section). Checking WHY the rejection happens (e.g.
account expire, wrong password) is not easy.
One workaround is to add your reply-message only when no there is no
previous message (which is what "=" does. See "man unlang").
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
> Hello,
>
> How to add Reply-Message in freeradius? anyone advise me pls.
>
> For example : I would like to send "Your username or password is wrong"
> message to NAS if the someone to access to my freeradius via wrong password
> from that NAS
>
raddb/sites-available/default
post-auth {
Post-Auth-Type REJECT {
update reply {
Reply-Message = "Your password is wrong, prepare to be
eaten by flying monkeys."
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
You've posted the RADIUS messages. But what about src/dst IP? Have you verified that the packets you *think* are the same actually match for src/dst IP, and src/dst port? If not, why not go check? That will show you WHY the packets are different: they're not the same packet! You're right again Alan, I was sniffing the wrong TUN interface (there are 13 on this server!) Indeed the reply-message is intact as expected. Problem resolved, thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
sbcsgjm...@snkmail.com wrote: > Im confused, the Packet identifier is the same. Can you explain how you > know this. Thanks, much appreciated! The packets are different. Go read them. Find out what is modifying the packet *after* the RADIUS server sends the reply. Look at the *rest* of the fields of the packet. i.e. most of these kinds of problems are difficult to solve because people IGNORE information that's right in front of them. You've posted the RADIUS messages. But what about src/dst IP? Have you verified that the packets you *think* are the same actually match for src/dst IP, and src/dst port? If not, why not go check? That will show you WHY the packets are different: they're not the same packet! The src/dst IP/port will also tell you WHAT is in the middle of the RADIUS conversation. That something is the one mangling the packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
What is between the radius server and NAS? Something must be, because it's modifying the packet. Do you have an intermediate proxy server? No, but the packets are being sent over an OpenVPN tunnel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
On 14/05/2011 12:55, Alan DeKok aland-at-deployingradius.com |freeradius-mailinglist| wrote: sbcsgjm...@snkmail.com wrote: Using freeradius 1.1.3. Upgrade. My apologies, I made a mistake, the version is 2.1.7 Im trying to get freeradius to return a helpful reply-message in access-rejects to the NAS but the reply-message seems to get stripped from the access-reject packet. Ive configured the reply-message as below in /etc/raddb/sites-enabled/default Huh? 1.1.3 doesn't have "sites-enabled". Figure out what you're doing. You won't be able to understand anything until then. Using wireshark on the radius server, I have no idea why some people are deathly opposed to running the server in debugging mode. I'm not at all, I've run it in debugging mode and I can see the reply-message as below. I just wanted to make sure the packets on the wire were as expected. Sending Access-Reject of id 184 to 10.0.2.3 port 45566 Reply-Message = "Login Failure" However, on the receiving NAS, using wireshark, there is no reply-message AVP! The packets are from different login attempts. Im confused, the Packet identifier is the same. Can you explain how you know this. Thanks, much appreciated! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
On 05/14/2011 11:28 AM, sbcsgjm...@snkmail.com wrote:
Hi,
Using freeradius 1.1.3. Im trying to get freeradius to return a helpful
reply-message in access-rejects to the NAS but the reply-message seems
to get stripped from the access-reject packet. Ive configured the
reply-message as below in /etc/raddb/sites-enabled/default
post-auth {
sql
exec
Post-Auth-Type REJECT {
# Login failed
update reply {
Reply-Message = "Login Failure"
}
sql
attr_filter.access_reject
}
}
Using wireshark on the radius server, I can see the correct
reply-message AVP as below
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xda (218)
Length: 35
Authenticator: a6208196777dac6e68b45f647a46bc44
[This is a response to a request in frame 1]
[Time from request: 1.000227000 seconds]
Attribute Value Pairs
AVP: l=15 t=Reply-Message(18): Login Failure
Reply-Message: Login Failure
However, on the receiving NAS, using wireshark, there is no
reply-message AVP!
What is between the radius server and NAS? Something must be, because
it's modifying the packet. Do you have an intermediate proxy server?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
sbcsgjm...@snkmail.com wrote: > Using freeradius 1.1.3. Upgrade. Im trying to get freeradius to return a helpful > reply-message in access-rejects to the NAS but the reply-message seems > to get stripped from the access-reject packet. Ive configured the > reply-message as below in /etc/raddb/sites-enabled/default Huh? 1.1.3 doesn't have "sites-enabled". Figure out what you're doing. You won't be able to understand anything until then. > Using wireshark on the radius server, I have no idea why some people are deathly opposed to running the server in debugging mode. > However, on the receiving NAS, using wireshark, there is no > reply-message AVP! The packets are from different login attempts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Neville,
my postauth_query is:
postauth_query = "INSERT INTO ${postauth_table} (username, reply,
accttime, message) VALUES ('%{SQL-User-Name}', '%{reply:Packet-Type}',
TO_DATE('
%S','-mm-dd hh24:mi:ss'),
'%{%{Module-Failure-Message}:-%{%{reply:Reply-Message}:-Your generic
message}}')" > Adjust accttime for MySQL
with this you can catch the error message of the module that reject the
user, then the reply message and as last chance a generic message. you
can swap %{Module-Failure-Message} with %{reply:Reply-Message} if your
reply message is more important
to strip "\r\n" in modules/attr_rewrite I added:
attr_rewrite sanereplymessage {
attribute = Reply-Message
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = reply
searchfor = "\n|\r"
replacewith = ""
ignore_case = no
new_attribute = no
max_matches = 10
## If set to yes then the replace string will be
## appended to the original string
append = no
}
and in sites-enables/default
Post-Auth-Type REJECT {
..
sanereplymessage
sql
..
}
Andrea
Neville ha scritto:
> Thanks, this works a treat and its just what I needed.
>
> Is there anyway to strip the "\r\n" at the start and end of the
> Reply-Message before writing the TABLE, as it ends up in the tables as:-
>
> "=0D=0AYou are already logged in - access denied=0D=0A=0A"
>
> Thx
> Nev
>> hi,
>> configure postauth_query in dialup.conf,
>>
>> postauth_query="UPDATE POSTREPLY SET
>> REPLYMESSAGE='%{reply:Reply-Message}' WHERE USERNAME='%{SQL-User-Name}' "
>>
>> than , you can query the message from DB SERVER.
>>
>> BTW:
>> if reject user, then ...
>>
>>#
>># Access-Reject packets are sent through the REJECT
>> sub-section of the
>># post-auth section.
>>#
>>#
>>Post-Auth-Type REJECT {
>> %{sql:UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE
>> USERNAME='%{SQL-User-Name}' }
>> }
>>
>>> Message: 1
>>> Date: Sat, 16 Jan 2010 20:55:45 -
>>> From: "Neville"
>>> Subject: Reply-Message
>>> To:
>>> Message-ID: <1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc>
>>> Content-Type: text/plain; charset="iso-8859-1"
>>>
>>> Hi,
>>>
>>> Is there any way to get the reply message loaded into a SQL TABLE,
>>> which a user can then query on to see the last reply based on there
>>> username?
>>>
>>> Thx
>>> Nev
>>> -- next part --
>>> An HTML attachment was scrubbed...
>>> URL:
>>> <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html>
>>>
>>>
>>> --
>>>
>>> Message: 2
>>> Date: Sat, 16 Jan 2010 13:15:58 -0800
>>> From: "Tim Sylvester"
>>> Subject: RE: Reply-Message
>>> To: "'FreeRadius users mailing list'"
>>>
>>> Message-ID: <4b522c99.101abc0a.1166.9...@mx.google.com>
>>> Content-Type: text/plain; charset="us-ascii"
>>>
>>> You can put an entry for the Reply-Message attribute in the radreply
>>> table.
>>> For example, if you want to send the message "Hi Bob" to user bob,
>>> you would
>>> add this entry to radreply:
>>>
>>>
>>>
>>> usernameattribute op value
>>>
>>> "bob" "Reply-Message" ":=""Hi Bob"
>>>
>>>
>>>
>>> The Reply-Message attribute will be sent back in the Access-Accept
>>> packet
>>> sent back to the NAS. Of course, this assumes that you have FreeRADIUS
>>> configured to use SQL, which is documented in the raddb/sql.conf file
>>> and
>>> http://wiki.freeradius.org/SQL_HOWTO.
>>>
>>>
>>>
>>> Tim
>>>
>>>
>>
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
--
Somewhere in the world there's somebody better than me... but I haven't
met him yet.
Ing. Andrea Gabellini
Email: andrea.gabell...@telecomitalia.sm
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188
Telecom Italia San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Republic of San Marino
http://www.telecomitalia.sm
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Neville,您好! so, security reasons. 8-( 1,modify the " sql_escape_func(char *out, size_t outlen, const char *in)" in rlm_sql.c, but there is bad idea. 2, expand rlm_sql and db driver,support parameter binding , and skip convert parameter. === 2010-01-18 您在来信中写道:=== >Thanks, this works a treat and its just what I needed. > >Is there anyway to strip the "\r\n" at the start and end of the >Reply-Message before writing the TABLE, as it ends up in the tables as:- > >"=0D=0AYou are already logged in - access denied=0D=0A=0A" > >Thx >Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Thanks, this works a treat and its just what I needed.
Is there anyway to strip the "\r\n" at the start and end of the
Reply-Message before writing the TABLE, as it ends up in the tables as:-
"=0D=0AYou are already logged in - access denied=0D=0A=0A"
Thx
Nev
hi,
configure postauth_query in dialup.conf,
postauth_query="UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}'
WHERE USERNAME='%{SQL-User-Name}' "
than , you can query the message from DB SERVER.
BTW:
if reject user, then ...
#
# Access-Reject packets are sent through the REJECT sub-section of
the
# post-auth section.
#
#
Post-Auth-Type REJECT {
%{sql:UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE
USERNAME='%{SQL-User-Name}' }
}
Message: 1
Date: Sat, 16 Jan 2010 20:55:45 -
From: "Neville"
Subject: Reply-Message
To:
Message-ID: <1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc>
Content-Type: text/plain; charset="iso-8859-1"
Hi,
Is there any way to get the reply message loaded into a SQL TABLE, which a
user can then query on to see the last reply based on there username?
Thx
Nev
-- next part --
An HTML attachment was scrubbed...
URL:
<https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html>
--------------
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: "Tim Sylvester"
Subject: RE: Reply-Message
To: "'FreeRadius users mailing list'"
Message-ID: <4b522c99.101abc0a.1166.9...@mx.google.com>
Content-Type: text/plain; charset="us-ascii"
You can put an entry for the Reply-Message attribute in the radreply
table.
For example, if you want to send the message "Hi Bob" to user bob, you
would
add this entry to radreply:
usernameattribute op
value
"bob" "Reply-Message" ":=""Hi Bob"
The Reply-Message attribute will be sent back in the Access-Accept packet
sent back to the NAS. Of course, this assumes that you have FreeRADIUS
configured to use SQL, which is documented in the raddb/sql.conf file and
http://wiki.freeradius.org/SQL_HOWTO.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
hi,
configure postauth_query in dialup.conf,
postauth_query="UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}'
WHERE USERNAME='%{SQL-User-Name}' "
than , you can query the message from DB SERVER.
BTW:
if reject user, then ...
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
#
Post-Auth-Type REJECT {
%{sql:UPDATE POSTREPLY SET
REPLYMESSAGE='%{reply:Reply-Message}' WHERE USERNAME='%{SQL-User-Name}' }
}
>Message: 1
>Date: Sat, 16 Jan 2010 20:55:45 -
>From: "Neville"
>Subject: Reply-Message
>To:
>Message-ID: <1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi,
>
>Is there any way to get the reply message loaded into a SQL TABLE, which a
>user can then query on to see the last reply based on there username?
>
>Thx
>Nev
>-- next part --
>An HTML attachment was scrubbed...
>URL:
><https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html>
>
>--
>
>Message: 2
>Date: Sat, 16 Jan 2010 13:15:58 -0800
>From: "Tim Sylvester"
>Subject: RE: Reply-Message
>To: "'FreeRadius users mailing list'"
>
>Message-ID: <4b522c99.101abc0a.1166.9...@mx.google.com>
>Content-Type: text/plain; charset="us-ascii"
>
>You can put an entry for the Reply-Message attribute in the radreply table.
>For example, if you want to send the message "Hi Bob" to user bob, you would
>add this entry to radreply:
>
>
>
>usernameattribute op value
>
>"bob" "Reply-Message" ":=""Hi Bob"
>
>
>
>The Reply-Message attribute will be sent back in the Access-Accept packet
>sent back to the NAS. Of course, this assumes that you have FreeRADIUS
>configured to use SQL, which is documented in the raddb/sql.conf file and
>http://wiki.freeradius.org/SQL_HOWTO.
>
>
>
>Tim
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: "Neville" Subject: Reply-Message To: Message-ID: <1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc> Content-Type: text/plain; charset="iso-8859-1" Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html> -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: "Tim Sylvester" Subject: RE: Reply-Message To: "'FreeRadius users mailing list'" Message-ID: <4b522c99.101abc0a.1166.9...@mx.google.com> Content-Type: text/plain; charset="us-ascii" You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message "Hi Bob" to user bob, you would add this entry to radreply: usernameattribute op value "bob" "Reply-Message" ":=""Hi Bob" The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: "Neville" Subject: Reply-Message To: Message-ID: <1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc> Content-Type: text/plain; charset="iso-8859-1" Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html> -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: "Tim Sylvester" Subject: RE: Reply-Message To: "'FreeRadius users mailing list'" Message-ID: <4b522c99.101abc0a.1166.9...@mx.google.com> Content-Type: text/plain; charset="us-ascii" You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message "Hi Bob" to user bob, you would add this entry to radreply: usernameattribute op value "bob" "Reply-Message" ":=""Hi Bob" The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := "\r\nYou are already logged in - access denied\r\n\n" Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reply-Message
You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message "Hi Bob" to user bob, you would add this entry to radreply: usernameattribute op value "bob" "Reply-Message" ":=""Hi Bob" The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Neville Sent: Saturday, January 16, 2010 12:56 PM To: freeradius-users@lists.freeradius.org Subject: Reply-Message Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: > On 8/6/09 13:26, David Mitton wrote: >> A couple comments on this thread... >> >> The problem with including Reply message text in EAP is that the Reply >> attribute comes in the Accept or Reject message, which will be carrying >> the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry >> attributes, so a Reply would have to be turned into a Notification >> message by a smart AP and sent as an exchange prior to the Success/Fail. >> That doesn't look likely. > > ProCurve wired switches do this in the earlier software versions < > H.10.74. They actually send the EAP-Notification *after* the > EAP-Success or EAP-Failure which is what breaks WPA-Supplicant. > > As far as its state machines are concerned the EAP-Success/EAP-Failure > messages signifies the end of authentication... so if it receives an > EAP-Notification message *after* the EAP-Success/EAP-Failure, it sees > it as the NAS requesting to restart authentication. > http://tools.ietf.org/html/rfc3748#section-5.2 Implies that if you send EAP-Notification with an EAP-Success/Failure you are being a bad bad boy. However that is me reading 'prior to completion' meaning any packet before EAP-Success/Failure which does not include that final packet. Cheers -- Alexander Clouter .sigmonster says: "MOKE DAT YIGARETTE" -- "The Last Coin", James P. Blaylock - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 8/6/09 13:26, David Mitton wrote: A couple comments on this thread... The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry attributes, so a Reply would have to be turned into a Notification message by a smart AP and sent as an exchange prior to the Success/Fail. That doesn't look likely. ProCurve wired switches do this in the earlier software versions < H.10.74. They actually send the EAP-Notification *after* the EAP-Success or EAP-Failure which is what breaks WPA-Supplicant. As far as its state machines are concerned the EAP-Success/EAP-Failure messages signifies the end of authentication... so if it receives an EAP-Notification message *after* the EAP-Success/EAP-Failure, it sees it as the NAS requesting to restart authentication. An EAP method can send it's own Notification message including any text it wants. This will get wrapped in RADIUS with an EAP message attribute in an Access-Challenge, and go the normal path. The next problem is getting the supplicant to do anything with it, like show the user. WPA_Supplicant shows the contents of EAP-Notifications, the Mac OSX supplicant logs the message to /var/system.log, windows supplicant largely ignores them. This can be a problem if your supplicant is Windows. The Windows wireless EAP system silently discards EAP Notification messages on XP. On Vista, an EAPHost API method can get them if they ask. A RasEap API method is SOL, because they are discarded and not responded to, breaking the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for Vista. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Reply-message and supplicant
hi, ome useful information...however, people will be far more likely to read your email if you send it as plain text rather than HTML. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Reply-message and supplicant
A couple comments on this thread... The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry attributes, so a Reply would have to be turned into a Notification message by a smart AP and sent as an exchange prior to the Success/Fail. That doesn't look likely. An EAP method can send it's own Notification message including any text it wants. This will get wrapped in RADIUS with an EAP message attribute in an Access-Challenge, and go the normal path. The next problem is getting the supplicant to do anything with it, like show the user. This can be a problem if your supplicant is Windows. The Windows wireless EAP system silently discards EAP Notification messages on XP. On Vista, an EAPHost API method can get them if they ask. A RasEap API method is SOL, because they are discarded and not responded to, breaking the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for Vista. Dave.Jun 8, 2009 06:38:05 AM, freeradius-users@lists.freeradius.org wrote: a.l.m.bu...@lboro.ac.uk wrote:> could reply messages be used with some smart server-end code to provide > a data communication channel? ie user A has code that attempts to use EAP> with special username coding...the remote server is designed> to throw responses in EAP messages...which the modified supplicant> on the client can then extract? this could tunnel traffic through> an 802.1X restricted network? For TTLS, just use vendor-specific attributes inside of the TTLS tunnel. It shouldn't be too hard to modify the open source supplicants to lookfor a message, and do *something* with it. Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
a.l.m.bu...@lboro.ac.uk wrote: > could reply messages be used with some smart server-end code to provide > a data communication channel? ie user A has code that attempts to use EAP > with special username coding...the remote server is designed > to throw responses in EAP messages...which the modified supplicant > on the client can then extract? this could tunnel traffic through > an 802.1X restricted network? For TTLS, just use vendor-specific attributes inside of the TTLS tunnel. It shouldn't be too hard to modify the open source supplicants to look for a message, and do *something* with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 8/6/09 11:27, a.l.m.bu...@lboro.ac.uk wrote: Hi, IIRC, there's a suggestion to do this, but the actual cut-off number is vendor-specific. ..and i guess this cutoff is reported as an EAP failure and therefore kit configured to block/deny access will mean the eg the 3rd tunnel creation will be the last for some time Yes. Some kit has a configurable 'quiet-period'. So that after the EAP-Success or EAP-Failure message, it'll wait for a specified period before allowing another authentication attempt on that port. At least this is true of ProCurve products, and it seems like a sensible feature so I'm sure Cisco et al will have implemented it too. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > IIRC, there's a suggestion to do this, but the actual cut-off number > is vendor-specific. ..and i guess this cutoff is reported as an EAP failure and therefore kit configured to block/deny access will mean the eg the 3rd tunnel creation will be the last for some time alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: > This isn't actually mandated anywhere though is it? This is just random > vendor specific behaviour ? IIRC, there's a suggestion to do this, but the actual cut-off number is vendor-specific. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
> > # > # Make Reply-Message RFC3748 2.6.5 compliant > # * # # Make Reply-Message RFC3579 2.6.5 compliant # Odd that the mime encoded GPG sig validates ok, but the in-line one doesn't... I wonder what's going on there. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > Alternatively the 'smart server-end' could just send an Access-Accept :) ah..but then things get logged and you have a session...and most likely then a local address at the visited site and you'll then have to use a VPN etc. with the nefarious way, all traffic is transmitted via the home RADIUS server...unfiltered, unlogged. nasty. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> There's no reason why you couldn't tunnel IPv4 so long as the packets >> had a valid EAP header prepended to them. Send your EAP start, send the >> identity response... then you can pretty much do whatever you like, so >> long as it has a valid EAP header and the end server is in on the trick. >> > > Most AP's will hang up on the EAP session after 40-50 packets. > > Aww; and it seemed like such a nice concept. Most include a 'quiet-period' before they'll allow the supplicant to reattempt authentication. This isn't actually mandated anywhere though is it? This is just random vendor specific behaviour ? Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: > There's no reason why you couldn't tunnel IPv4 so long as the packets > had a valid EAP header prepended to them. Send your EAP start, send the > identity response... then you can pretty much do whatever you like, so > long as it has a valid EAP header and the end server is in on the trick. Most AP's will hang up on the EAP session after 40-50 packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: > >>> ... hmm that's pretty standard behaviour. We don't require FQUNs >>> either. Though I have no idea why you still insist on using user files >>> for policies. There's this new fangled policy language you know :P >>> >>> >> We *demand* it as otherwise the helpdesk get lazy and users start >> complaining that 'eduroam' does not work. > > Hmm that's a good point. I guess the difference is that we were doing > 802.1X before eduroam and didn't want to effect legacy behaviour. Looks > like were going down the everything under one SSID route now, so 'It > just works' when users roam. Maybe we'll have to look at getting rid of > none qualified usernames. > As us folks down here in London get (probably) more roaming than non-high university density areas it's a problem that's regular seen. It's a simple and effective way to avoid this problem and it seems to be behind about 80% of the reasons when users cannot roam. >> Do you know of an *alternative* way to send human readable messages to >> sysadmin's at other sites? > > Eduroam VSAs. > > The EAP/Reply message combination is disallowed for a good reason, and > i've seen it break things in real world scenarios. > > [snipped RFC grumblings] > Okay, okay, during my summer RADIUS refresh work I'll fix this. Cheers -- Alexander Clouter .sigmonster says: Life is a series of rude awakenings. -- R. V. Winkle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Alexander Clouter wrote: > Arran Cudbard-Bell wrote: > >> Alexander Clouter wrote: >> >>> a.l.m.bu...@lboro.ac.uk wrote: >>> > No one in London wants to go to Sussex though and from my logs it does > not look like anyway from Sussex wants to go to London either ;) > > If someone gives me something better to use in my RADIUS packets then > I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' > together and see if anyone notices. > I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. >>> I have an entry in my 'users' file for if people insist on sending their >>> username without a realm >>> >> ... hmm that's pretty standard behaviour. We don't require FQUNs >> either. Though I have no idea why you still insist on using user files >> for policies. There's this new fangled policy language you know :P >> >> > We *demand* it as otherwise the helpdesk get lazy and users start > complaining that 'eduroam' does not work. > Hmm that's a good point. I guess the difference is that we were doing 802.1X before eduroam and didn't want to effect legacy behaviour. Looks like were going down the everything under one SSID route now, so 'It just works' when users roam. Maybe we'll have to look at getting rid of none qualified usernames. > As for using the user file for policies, why would I care? It works, > does what I need. It doesn't scale (for very complex policies) , it doesn't promote code reuse, it's limited in terms of it's applications. But if it works for you... > For me, I don't particularly find the unlang stuff > particularly compact/natural and it's a bit verbose for my liking; I > have not lost anything not using it. > > For some things I do use it, things that cannot be expressed in the > users file. Whatever looks the cleanest and more natural way, is what > I use. > > Much like why I use LaTeX for presentations rather than some new > 'fangled' tool for giving presentations :P > > Yeah, you're just weird :) >>> or mix inner/outer domains, >> braindead-ness>. It's more for me whilst looking through my SQL logs, >>> however I also slip into my Reply-Message a comment if the >>> authentication attempt was against a test (non-production use) account. >>> >> Yeah that's fine... Just strip out the Reply-Message before you send the >> packet. >> >> > Do you know of an *alternative* way to send human readable messages to > sysadmin's at other sites? > > Eduroam VSAs. The EAP/Reply message combination is disallowed for a good reason, and i've seen it break things in real world scenarios. ProCurve Switch + Linux Laptop (any version of WPA Supplicant) + Reply-Message + EAP-Message = Rapid Re-Authentication. This has been discussed before on list. Jouni Malinen acknowledged the issue, but quite rightly did nothing to correct it. In the end it's the RADIUS server breaking the RFC, it's not the supplicants job to deal with Sys Admins screwups. > Scenario: > > The user's we block for AUP violations or whatever might be roaming. > Users *lie*, always, and cannot be trusted. If I just straightly block > the user and the user grumbles to the remote sysadmin they are going to > pester me. If they look in their logs there is a possibility that they > are logging Reply-Message and can see "this user is actually blocked and > nothing on a technical level is wrong". > > They're mandated to record all packets sent and received to/from the NRPS. > It might be upsetting the RFC's, but I challenge you (for example) to > pick a selection of IPv6 related RFC's that do not clash with one > another. RFC 3579: 2.6.5. Displayable Messages The Reply-Message attribute, defined in [RFC2865], Section 5.18, indicates text which may be displayed to the peer. This is similar in concept to EAP Notification, defined in [RFC2284]. When sending a displayable message to a NAS during an EAP conversation, the RADIUS server MUST encapsulate displayable messages within EAP-Message/EAP-Request/Notification attribute(s). Reply-Message attribute(s) MUST NOT be included in any RADIUS message containing an EAP-Message attribute. An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. I don't give a damn whether they conflict (though I don't believe this particular section conflicts with any other RFCs) ; that's not the point. The case documented above will undoubtedly have been seen at sites other than ours. It puts load on the NRPS it puts loads on the ORPS and it fills our RADIUS server logs with spurious entries. > I'm guessing Alan could probably point out where the RFC's > confli
Re: Reply-message and supplicant
Hi, on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? >> Wait are you talking about something really quite evil here? Like using >> EAP as a VPN tunnel ?!?! >> > > yes. if the supplicant is code I have written and the server is running > a nice bit of PHP or PERL code that i have written then.hmmm PoC > You just have to make it appear to the NAS that you're doing EAP. You don't actually have to *do* EAP. There's no reason why you couldn't tunnel IPv4 so long as the packets had a valid EAP header prepended to them. Send your EAP start, send the identity response... then you can pretty much do whatever you like, so long as it has a valid EAP header and the end server is in on the trick. Had you got any special plans for this other than annoying administrators by filling up their logs with very large EAP messages ? Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: > > Alexander Clouter wrote: >> a.l.m.bu...@lboro.ac.uk wrote: No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. >>> I've been having a lok at such packets on the national proxy and wonder >>> if its because people are just blamming a reply-message in at an wrong >>> stage...eg during Auth? would a default entry in use users file or >>> SQL group reply table cause such wrongness? most likely. >>> >> I have an entry in my 'users' file for if people insist on sending their >> username without a realm > > ... hmm that's pretty standard behaviour. We don't require FQUNs > either. Though I have no idea why you still insist on using user files > for policies. There's this new fangled policy language you know :P > We *demand* it as otherwise the helpdesk get lazy and users start complaining that 'eduroam' does not work. As for using the user file for policies, why would I care? It works, does what I need. For me, I don't particularly find the unlang stuff particularly compact/natural and it's a bit verbose for my liking; I have not lost anything not using it. For some things I do use it, things that cannot be expressed in the users file. Whatever looks the cleanest and more natural way, is what I use. Much like why I use LaTeX for presentations rather than some new 'fangled' tool for giving presentations :P >> or mix inner/outer domains, > braindead-ness>. It's more for me whilst looking through my SQL logs, >> however I also slip into my Reply-Message a comment if the >> authentication attempt was against a test (non-production use) account. > > Yeah that's fine... Just strip out the Reply-Message before you send the > packet. > Do you know of an *alternative* way to send human readable messages to sysadmin's at other sites? Scenario: The user's we block for AUP violations or whatever might be roaming. Users *lie*, always, and cannot be trusted. If I just straightly block the user and the user grumbles to the remote sysadmin they are going to pester me. If they look in their logs there is a possibility that they are logging Reply-Message and can see "this user is actually blocked and nothing on a technical level is wrong". It might be upsetting the RFC's, but I challenge you (for example) to pick a selection of IPv6 related RFC's that do not clash with one another. I'm guessing Alan could probably point out where the RFC's conflict against one another in the RADIUS world too. If my Reply-Message's break something, I'll stop sending them. I think you need to stop worrying about the Reply-Message's and maybe look out for those borken folk who keep insisting telling me to put their users in a particular VLAN, maybe we could just get JANET to refuse those IAS users. :) >>> crack-pipe question of the day: >>> >>> could reply messages be used with some smart server-end code to provide >>> a data communication channel? ie user A has code that attempts to use EAP >>> with special username coding...the remote server is designed >>> to throw responses in EAP messages...which the modified supplicant >>> on the client can then extract? this could tunnel traffic through >>> an 802.1X restricted network? in fact, is the inner EAP traffic limited >>> at all? once the authentication outer layer is started i should be >>> able to just keep throwing data back/forward through that tube? >>> > > Wait are you talking about something really quite evil here? Like using > EAP as a VPN tunnel ?!?! > Again, why *bother*. If someone is sending a malicious RADIUS server an Access-Request message, all it has to do is send back an Access-Accept. Hell you can then tunnel over something that probably has less latency and is just as stealthy like DNS. Hell or just use a real VPN, or forget the lot and just use a 3G modem. Cheers -- Alexander Clouter .sigmonster says: Try `stty 0' -- it works much better. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > >> on the client can then extract? this could tunnel traffic through > >> an 802.1X restricted network? in fact, is the inner EAP traffic limited > >> at all? once the authentication outer layer is started i should be > >> able to just keep throwing data back/forward through that tube? > >> > Wait are you talking about something really quite evil here? Like using > EAP as a VPN tunnel ?!?! yes. if the supplicant is code I have written and the server is running a nice bit of PHP or PERL code that i have written then.hmmm PoC ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Clouter wrote: > a.l.m.bu...@lboro.ac.uk wrote: >>> No one in London wants to go to Sussex though and from my logs it does >>> not look like anyway from Sussex wants to go to London either ;) >>> >>> If someone gives me something better to use in my RADIUS packets then >>> I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' >>> together and see if anyone notices. >> I've been having a lok at such packets on the national proxy and wonder >> if its because people are just blamming a reply-message in at an wrong >> stage...eg during Auth? would a default entry in use users file or >> SQL group reply table cause such wrongness? most likely. >> > I have an entry in my 'users' file for if people insist on sending their > username without a realm ... hmm that's pretty standard behaviour. We don't require FQUNs either. Though I have no idea why you still insist on using user files for policies. There's this new fangled policy language you know :P > or mix inner/outer domains, braindead-ness>. It's more for me whilst looking through my SQL logs, > however I also slip into my Reply-Message a comment if the > authentication attempt was against a test (non-production use) account. > Yeah that's fine... Just strip out the Reply-Message before you send the packet. >> crack-pipe question of the day: >> >> could reply messages be used with some smart server-end code to provide >> a data communication channel? ie user A has code that attempts to use EAP >> with special username coding...the remote server is designed >> to throw responses in EAP messages...which the modified supplicant >> on the client can then extract? this could tunnel traffic through >> an 802.1X restricted network? in fact, is the inner EAP traffic limited >> at all? once the authentication outer layer is started i should be >> able to just keep throwing data back/forward through that tube? >> Wait are you talking about something really quite evil here? Like using EAP as a VPN tunnel ?!?! Arran -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkorEF8ACgkQcaklux5oVKICSwCcCga36CjkrqGqbrr3YCyQGFfk LRkAoIIMlDiuHXHBPfamcwSCkpKf5KYs =w7Az -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
a.l.m.bu...@lboro.ac.uk wrote:
> Hi,
>
>> No one in London wants to go to Sussex though and from my logs it does
>> not look like anyway from Sussex wants to go to London either ;)
>>
>> If someone gives me something better to use in my RADIUS packets then
>> I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune'
>> together and see if anyone notices.
>
> I've been having a lok at such packets on the national proxy and wonder
> if its because people are just blamming a reply-message in at an wrong
> stage...eg during Auth? would a default entry in use users file or
> SQL group reply table cause such wrongness? most likely.
#
# Make Reply-Message RFC3748 2.6.5 compliant
#
rem_reply_message_if_eap {
if("%{reply:EAP-Message}"){
update reply {
Reply-Message -= "%{reply:Reply-Message}"
}
}
else {
noop
}
}
It's not exactly hard...
>
> crack-pipe question of the day:
>
> could reply messages be used with some smart server-end code to provide
> a data communication channel? ie user A has code that attempts to use EAP
> with special username coding...the remote server is designed
> to throw responses in EAP messages...which the modified supplicant
> on the client can then extract? this could tunnel traffic through
> an 802.1X restricted network? in fact, is the inner EAP traffic limited
> at all? once the authentication outer layer is started i should be
> able to just keep throwing data back/forward through that tube?
>
>
Completely dependent on the EAP method. Though I suspect some NAS /
Supplicants will set a maximum time limit on how long authentication can
take to complete.
Arran
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkorDw8ACgkQcaklux5oVKJWoACfXpBXQf9cbKhZ08GCv74wIc9D
nKwAnjOjHQTBuixKthuFT5mhJirfMab1
=bttU
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
a.l.m.bu...@lboro.ac.uk wrote: > >> No one in London wants to go to Sussex though and from my logs it does >> not look like anyway from Sussex wants to go to London either ;) >> >> If someone gives me something better to use in my RADIUS packets then >> I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' >> together and see if anyone notices. > > I've been having a lok at such packets on the national proxy and wonder > if its because people are just blamming a reply-message in at an wrong > stage...eg during Auth? would a default entry in use users file or > SQL group reply table cause such wrongness? most likely. > I have an entry in my 'users' file for if people insist on sending their username without a realm, or mix inner/outer domains, . It's more for me whilst looking through my SQL logs, however I also slip into my Reply-Message a comment if the authentication attempt was against a test (non-production use) account. > crack-pipe question of the day: > > could reply messages be used with some smart server-end code to provide > a data communication channel? ie user A has code that attempts to use EAP > with special username coding...the remote server is designed > to throw responses in EAP messages...which the modified supplicant > on the client can then extract? this could tunnel traffic through > an 802.1X restricted network? in fact, is the inner EAP traffic limited > at all? once the authentication outer layer is started i should be > able to just keep throwing data back/forward through that tube? > Alternatively the 'smart server-end' could just send an Access-Accept :) Cheers -- Alexander Clouter .sigmonster says: Available while quantities last. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > No one in London wants to go to Sussex though and from my logs it does > not look like anyway from Sussex wants to go to London either ;) > > If someone gives me something better to use in my RADIUS packets then > I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' > together and see if anyone notices. I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. crack-pipe question of the day: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? hmmm alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: > On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote: >> Hi, >> >>> No they can't. Reply-Messages are prohibited in packets containing >>> EAP-Message attributes. >> >> really? well...I guess if you believe in RFC 3579 and hope that everyone >> read section 2.2 of that - invalid packet discussion then you'd >> hope so... however, I see tonnes of packets proxied through the NRPS >> that have EAP-Message and Reply-Message in the same packet. > > None of them are coming from Sussex though :) > No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. Cheers -- Alexander Clouter .sigmonster says: "But this one goes to eleven." -- Nigel Tufnel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote: Hi, No they can't. Reply-Messages are prohibited in packets containing EAP-Message attributes. really? well...I guess if you believe in RFC 3579 and hope that everyone read section 2.2 of that - invalid packet discussion then you'd hope so... however, I see tonnes of packets proxied through the NRPS that have EAP-Message and Reply-Message in the same packet. None of them are coming from Sussex though :) Which is why I specified an alternate VSA :P aye. Microsoft actually have a 'Reason-Code' that is interesting... http://technet.microsoft.com/en-us/library/cc785145.aspx That is indeed interesting. Sent you an email off-list. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > No they can't. Reply-Messages are prohibited in packets containing > EAP-Message attributes. really? well...I guess if you believe in RFC 3579 and hope that everyone read section 2.2 of that - invalid packet discussion then you'd hope so... however, I see tonnes of packets proxied through the NRPS that have EAP-Message and Reply-Message in the same packet. > Which is why I specified an alternate VSA :P aye. Microsoft actually have a 'Reason-Code' that is interesting... http://technet.microsoft.com/en-us/library/cc785145.aspx alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 5/6/09 16:18, Sergio Belkin wrote: 2009/6/5: Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for the stupid question, what does "EAP-Message =* ANY" mean? Allow any value for EAP-Message. -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 : > Hi, > >> Does file attrs.access_reject has to with you are talking about? > > in a way - that file lists the attributes that are allowed > to pass after an access reject - you still have to set eg the Reply-Message > *or some other VSA* to let the remote site know > > alan > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Sorry for the stupid question, what does "EAP-Message =* ANY" mean? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 5/6/09 15:21, a.l.m.bu...@lboro.ac.uk wrote: Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information No they can't. Reply-Messages are prohibited in packets containing EAP-Message attributes. Which is why I specified an alternate VSA :P Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 : > Hi, >> Hi Sergio, >>> >>> Is possible that Reply-message can be seen from laptops running the >>> supplicant? >> >> Not with EAP no. You can use EAP-Notification packets, but very few >> supplicants display the contents to the user, and the server doesn't support >> their generation. > > which is why rather useful messages can be sent from RADIUS server to RADIUS > server so that admins can see what is going on but the users dont get to > see such information > > alan Does file attrs.access_reject has to with you are talking about? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, > Hi Sergio, >> >> Is possible that Reply-message can be seen from laptops running the >> supplicant? > > Not with EAP no. You can use EAP-Notification packets, but very few > supplicants display the contents to the user, and the server doesn't support > their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply message to rejected users
well i found that option in my config file but I cant find documentation in man :( How do I implement with MySQL? Thanks for help! On Fri, Jan 30, 2009 at 5:05 AM, Alan DeKok wrote: > Alex M wrote: > > i'm trying to display reply message to users whos passwords get rejected. > > so I setup the group and added my test user there. then i went to > > groupreply table and added reply message there. > > Now when I do my testing is password is ok the message is displayed BUT > > if password is incorrect the message is not displayed. > > Read raddb/sites-available/default. Look in the "post-auth" section > for the "Post-Auth-Type Reject" subsection. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply message to rejected users
Alex M wrote: > i'm trying to display reply message to users whos passwords get rejected. > so I setup the group and added my test user there. then i went to > groupreply table and added reply message there. > Now when I do my testing is password is ok the message is displayed BUT > if password is incorrect the message is not displayed. Read raddb/sites-available/default. Look in the "post-auth" section for the "Post-Auth-Type Reject" subsection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in various clients & EAP vs CHAP.
Arran Cudbard-Bell wrote: > Does anyone have a draft list of which clients actually support the > Reply-Message and by which methods they can recieve them? All clients will accept it. Very few will do anything useful with it. > The reason why I ask , it during initial tests (using chap) the built in > windows CHAP supplicant would display the reply-messages being sent back > from the server. > Now we've moved on from CHAP to using EAP and the windows supplicant no > longer displays the messages. Yes. > Am I right in assuming that with EAP attributes from the access-accept > packet only get to the NAS and that the NAS will strip out of the EAP > message > and pass it on to the supplicant and thats all the supplicant will ever get? Yes. > In which case, although the Reply-Message attribute is also supported in > PoD the client will never actually recieve it when using EAP ? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: reply-message
> > I'm willing to send a reply-message when access-reject occurs. The > > thing is that, if authorize_check_query fails ( ie: user is > > not found) then authorize_reply_query is not called. So, I do not > > know how to send back a Reply-Message Attribute if > > authorize_reply_query is not executed. > > List a module in the "Reject" section of "post-auth". > > The SQL configuration you're using is meant to give users > attributes. It's NOT meant to deal with users who aren't > found at all. The rest of the server configuration allows > you to control that. Thanx for the fast response!. Now, what do you suggest to do? I'm needing to have some reply-messages according to some situations. Example: credit of user < 0, then Reply-Message = "No credit" destination not available, then Reply-Message = "Destination error" etc ... But, as you said, I'm checking this at the authorize_check_query. If any of those conditions fail, I'm returning an empty table, and so, authorize_check_query fails ... then authorize_reply_query is not executed. Finally, I have no reply-attributes to send back to NAS. I've tried the post-auth, with the sql module, and a postauth_query. The table I return contains the Reply-Message = "THE_MESSAGE_NEEDED", but I can not see the Reply-Message attribute at the access-reject reply. Obviously it is not adding that attribute to the reply. How could I add some reply-messages at the access-reject reply, with variable content, according to some situations? ( keep in mind that I have all the users info at a sql database ). Besides this reply-message detail, I really need to say that freeradius is just a wonderful program. It is really versatile and I only have thankful words to the programmers of it. I was using ic-radius and I was kind of scared about migrating to freeradius, because I would take so much time. It only took a week Thanx again ... Regards, Lucas -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.308 / Virus Database: 266.11.8 - Release Date: 10/05/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply-message
"Lucas Aimaretto" <[EMAIL PROTECTED]> wrote: > I'm willing to send a reply-message when access-reject occurs. The thing > is that, if authorize_check_query fails ( ie: user is not found) , then > authorize_reply_query is not called. So, I do not know how to send back > a Reply-Message Attribute if authorize_reply_query is not executed. List a module in the "Reject" section of "post-auth". The SQL configuration you're using is meant to give users attributes. It's NOT meant to deal with users who aren't found at all. The rest of the server configuration allows you to control that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message not copied from Tunnel to outside?
Hi, since no one answers I'll answer myself :-) > in my setup I use TTLS-PAP to authenticate users (which works perfectly). > Now I have setup a test user to enable some keepalive checking for the > server. I use MySQL as backend and have put a Reply-Message attribute in > radreply. It gets picked up alright in the tunneled user check and I have > set > "use_tunneled_reply" in eap.conf. So I'd expect to see that Reply-Message > gets copied to the outside request upon returning the request. But this > doesn't happen. [snip...] > Shouldn't the Reply-Message be copied to the outside when > "use_tunneled_reply" is on? I found that the behaviour is as expected (Reply-Message gets copied) when the user is authenticated, i.e. in Access-Accept messages. Out of curiosity, I looked into the source code in ttls.c and discovered that the copying is actually only done when the authentication is successful. Are there any security reasons for this? If not, a consistent behaviour would be preferable and I'd consider the current situation being a bug in either a) just the documentation: the comments in eap.conf should clearly state that use_tunneled_reply only copies the attributes _upon success_ or b) in the source, because it leads to an inconsistent behaviour when it shouldn't. I'd be happy to provide a (trivial) patch to this problem in the case of b). Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingénieur réseau et système 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg email: [EMAIL PROTECTED] tél.: +352 424409-33 http://www.restena.lu fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply message when a user is proxied to a realm. is it possible ?
Hi!
> i would like to have a notification when a client is proxied to a
> realm. is it possible ?
It sure is. You can use the pre-proxy {} section and do whatever you like
there. For example an exec instance that executes a script of your choice. It
all depends on what you mean with notification. If you just want to have it
logged, simply use a detail instance (there is an example for that in the
sample config file, I believe). If you want to have a dialog box pop up every
time, well, write a script and put it into an exec instance. If you want an
alarm bell to go off, attach an alarm bell to the server, write a script that
triggers it and put that into exec.
Greetings,
Stefan Winter
--
Stefan WINTER
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingénieur réseau et système
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
email: [EMAIL PROTECTED] tél.: +352 424409-33
http://www.restena.lu fax: +352 422473
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
"Christopher Price" <[EMAIL PROTECTED]> wrote: > Here is the full output after I uncommented the tls and peap sections in > eap.conf. I still seems to have a problem Ok > Module: Loaded eap > eap: default_eap_type = md5 So... are you using PEAP or not? > rlm_eap: processing type md5 > rlm_eap_md5: Issuing Challenge No, you're not using PEAP. > Going to the next request > --- Walking the entire request list --- > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 10 with timestamp 4166a949 > Nothing to do. Sleeping until we see a request. And the client never responds to the EAP-MD5 challenge. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Here is the full output after I uncommented the tls and peap sections in eap.conf. I still seems to have a problem Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "md5" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth
Re: Reply-Message
"Christopher Price" <[EMAIL PROTECTED]> wrote:
> I was told to change as little as possible in the configuration files
> and PEAP/MSCHAPv2 using Microsoft's 802.1x client with and LDAP backend
> DB would work fine. This is not the case and I would appreciate any
> suggestions on what to modify to make this work.
OK...
> The only portion of the config that I changed was the ldap module
> section (to point to my ldap server) and the ldap line in the
> authorize section (uncommented the single line).
You have to configure the tls{} subsection of eap.conf, too.
> I have included some output from the server when I attempt to
> authenticate.
You've edited the output. Don't do that. It makes it impossible
for anyone to help you.
> rad_recv: Access-Request packet from host 172.16.83.1:32830, id=20,
> length=111
> User-Name = cprice
> NAS-IP-Address = 172.16.80.4
> NAS-Port = 29
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = 00904B91CCAF
> Called-Station-Id = 000B86010C80
> Framed-MTU = 1300
> EAP-Message = 0x0217000b01637072696365
> Message-Authenticator = 0xa125c1b253031500294644d1f713050e
> rlm_ldap: - authorize
There should be a LOT more text between the "Message-Authenticator"
line and the "rlm_ldap" line.
If you don't understand why it doesn't work, you don't know which
parts of the debug log are important, so editing it means you WILL
delete the important bits, making it impossible for anyone to help
you.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
I was told to change as little as possible in the configuration files and PEAP/MSCHAPv2 using Microsoft's 802.1x client with and LDAP backend DB would work fine. This is not the case and I would appreciate any suggestions on what to modify to make this work. The only portion of the config that I changed was the ldap module section (to point to my ldap server) and the ldap line in the authorize section (uncommented the single line). I have included some output from the server when I attempt to authenticate. Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess Module: Instantiated preprocess (preprocess) Module: Loaded realm Module: Instantiated realm (suffix) Module: Loaded files Module: Instantiated files (files) Module: Loaded LDAP rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: reading ldap<->radius mappings from file /usr/local/etc/raddb/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Network rlm_ldap: LDAP radiusFramedAppleTalkZone m
Re: Reply-Message
On Thu, 7 Oct 2004, EROS wrote: > Hi, > > How changing the Reply-Message when a user reach the max-monthly-limit > of his account ? > > > now I have this message from the radius : > > Sending Access-Reject of id 22 to 192.168.200.101:1482 > Reply-Message = "Your maximum monthly usage time has been > reached" > > and I wanna have this : > > > Sending Access-Reject of id 22 to 192.168.200.101:1482 > Reply-Message = "Hello World" The Reply-Message is currently hardcoded in rlm_counter so it's rather difficult. > > > thx > > > > > -Message d'origine- > De : [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] De la part de > Kyriaki Gali > Envoy? : jeudi 7 octobre 2004 16:14 > ? : [EMAIL PROTECTED] > Objet : Simultaneous-Use > > > Sorry, guys i found it.. thanks. > > > Kyriaki Gali, > IT Applications Specialist > Kinetix Tele.com Support Center, > Tel & Fax: +30 2310 256140 > GSM: +30 6947 723737 > http://www.kinetix.gr > e-mail: [EMAIL PROTECTED] > > -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message and rlm_perl NOT SENT?!?!?
>"PS" <[EMAIL PROTECTED]> wrote: >> It's not essential for me, but my intention was to supply some >> customized message (based on language etc) on accounting-stop saying >> something like "1.35$ usd has been deducted from your account, >> current ballance is 2.59$ usd. Thank you, hope to see you very soon >> :))" You get the point... > > As I said in my previous message, that message won't be displayed to >anyone. There's no point in sending it. > >> What could be a solution, > > There is no solution. > >> or where approx. I should tweak the source for radius to permit >> reply-message in radius-responce? Can I add some sort of vendor >> attrite to be able to send my message?? > > If the NAS supports it, sure. If not, you can't do what you want. Of cource my nas supports that, I wouldn't ask if it didn't. The goal is to notify the user of account changes and billed amount after a call is finished. What's better way than saying it in Accounting-Reply? > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message and rlm_perl NOT SENT?!?!?
"PS" <[EMAIL PROTECTED]> wrote: > It's not essential for me, but my intention was to supply some > customized message (based on language etc) on accounting-stop saying > something like "1.35$ usd has been deducted from your account, > current ballance is 2.59$ usd. Thank you, hope to see you very soon > :))" You get the point... As I said in my previous message, that message won't be displayed to anyone. There's no point in sending it. > What could be a solution, There is no solution. > or where approx. I should tweak the source for radius to permit > reply-message in radius-responce? Can I add some sort of vendor > attrite to be able to send my message?? If the NAS supports it, sure. If not, you can't do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message and rlm_perl NOT SENT?!?!?
> > As you see there is msg in the log that Reply-Message pair was > > added, but at the bottom you can see that it's not sent. > > I don't think the RFC's permit Reply-Message in Accounting-Response > packets. At least now I know what's the problem. > In any case, sending a message of "You exceded simultaneous usage > limit." in an Accounting-Response packet is pointless. The user will > NEVER see it. Yeah ;))) It has no meaning - I just copy-pasted it from another part to see if it is sent. For me the user would see - I use it for voip and my gk resends this attribute to the voip endpoint. It's not essential for me, but my intention was to supply some customized message (based on language etc) on accounting-stop saying something like "1.35$ usd has been deducted from your account, current ballance is 2.59$ usd. Thank you, hope to see you very soon :))" You get the point... What could be a solution, or where approx. I should tweak the source for radius to permit reply-message in radius-responce? Can I add some sort of vendor attrite to be able to send my message?? Thank you. >"PS" <[EMAIL PROTECTED]> wrote: >> As you see there is msg in the log that Reply-Message pair was >> added, but at the bottom you can see that it's not sent. > > I don't think the RFC's permit Reply-Message in Accounting-Response >packets. > > In any case, sending a message of "You exceded simultaneous usage >limit." in an Accounting-Response packet is pointless. The user will >NEVER see it. > > Alan DeKok. > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message and rlm_perl NOT SENT?!?!?
"PS" <[EMAIL PROTECTED]> wrote: > As you see there is msg in the log that Reply-Message pair was > added, but at the bottom you can see that it's not sent. I don't think the RFC's permit Reply-Message in Accounting-Response packets. In any case, sending a message of "You exceded simultaneous usage limit." in an Accounting-Response packet is pointless. The user will NEVER see it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
