Re: Using return-output from external script as reply-message
Hello Stephan, hello Alan,
Have a look at the last beta version
(http://www.1-2-3-4-5-6.net/multiotp/beta/), you can now set a prefix for
the debug mode. for example to be able to handle response by the radius
server ;-)
To set this option : multiotp -config debug-prefix=Reply-Message :=
Any feedback welcome
Best regards,
Andre Liechti
Stefan Kuegler wrote:
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
That says the script output is a series of Attribute = Value lines.
...and activated this module in the authentication-section of the
default-configuration (and also in the inner-tunnel-configuration):
authenticate {
[...]
Auth-Type MultiOTP {
update reply {
Reply-Message = Hello, %{User-Name}
}
multiotp
}
Alan DeKok wrote:
Update sections should generally be in post-auth, but... whatever.
The external script gives me additional informations (like OK: Token
accepted, INFO: Authentication failed etc.) after authentication.
Which isn't in Attribute = Value form, and is therefore ignored.
Yes. Fix the script to send:
Reply-Message := ... text ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using return-output from external script as reply-message
Hello.
I want to use an external script (multiotp) for authentication in
FreeRADIUS.
I created a new module called multiotp that starts the external script...
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
program = /etc/freeradius/multiotp/multiotp.php -log -debug
'%{User-Name}' '%{User-Password}'
shell_escape = yes
}
...and activated this module in the authentication-section of the
default-configuration (and also in the inner-tunnel-configuration):
authenticate {
[...]
Auth-Type MultiOTP {
update reply {
Reply-Message = Hello, %{User-Name}
}
multiotp
}
[...]
}
The external script gives me additional informations (like OK: Token
accepted, INFO: Authentication failed etc.) after authentication.
When I run freeradius in debug mode, I can see the output-message from
the external script:
[...]
Exec-Program output: 0 OK: Token accepted
Exec-Program-Wait: plaintext: 0 OK: Token accepted
Exec-Program: returned: 0
++[multiotp] returns ok
Login OK: [test] (from client localhost port 0)
[...]
Is it possible to use this output-message as the reply-message ?
Thanks.
Stefan
P.S.
This is the complete output from freeradius -X:
/usr/sbin/freeradius -X
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Sep 11
2012 at 17:06:46
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/digest
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/multiotp
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites
Re: Using return-output from external script as reply-message
Stefan Kuegler wrote:
exec multiotp {
wait = yes
input_pairs = request
output_pairs = reply
That says the script output is a series of Attribute = Value lines.
...and activated this module in the authentication-section of the
default-configuration (and also in the inner-tunnel-configuration):
authenticate {
[...]
Auth-Type MultiOTP {
update reply {
Reply-Message = Hello, %{User-Name}
}
multiotp
}
Update sections should generally be in post-auth, but... whatever.
The external script gives me additional informations (like OK: Token
accepted, INFO: Authentication failed etc.) after authentication.
Which isn't in Attribute = Value form, and is therefore ignored.
Yes. Fix the script to send:
Reply-Message := ... text ...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On 6 Oct 2011, at 04:27, gary wrote:
Hi
One more question.
How about if user name is wrong? eg: send reply message user name not found
sql
if(notfound){
update reply {
Reply-Message = 'User-name not found'
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message in freeradius
Hello, How to add Reply-Message in freeradius? anyone advise me pls. For example : I would like to send Your username or password is wrong message to NAS if the someone to access to my freeradius via wrong password from that NAS Thanks, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello,
How to add Reply-Message in freeradius? anyone advise me pls.
For example : I would like to send Your username or password is wrong
message to NAS if the someone to access to my freeradius via wrong password
from that NAS
raddb/sites-available/default
post-auth {
Post-Auth-Type REJECT {
update reply {
Reply-Message = Your password is wrong, prepare to be
eaten by flying monkeys.
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
On Wed, Oct 5, 2011 at 9:23 PM, Dagia Dorjsuren dagmi...@yahoo.com wrote:
Hello,
How to add Reply-Message in freeradius? anyone advise me pls.
post-auth {
...
update reply {
Reply-Message = Your message here\r\n
}
...
}
For example : I would like to send Your username or password is wrong
message to NAS if the someone to access to my freeradius via wrong password
from that NAS
That's tricky. Checking for reject is easy enough (see example in the
default post-auth section). Checking WHY the rejection happens (e.g.
account expire, wrong password) is not easy.
One workaround is to add your reply-message only when no there is no
previous message (which is what = does. See man unlang).
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message in freeradius
Hi
One more question.
How about if user name is wrong? eg: send reply message user name not found
Best Regards
Gary
- Original Message -
From: Arran Cudbard-Bell
To: Dagia Dorjsuren ; FreeRadius users mailing list
Sent: Wednesday, October 05, 2011 10:34 PM
Subject: Re: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello, How to add Reply-Message in freeradius? anyone advise me pls.For
example : I would like to send Your username or password is wrong message to
NAS if the someone to access to my freeradius via wrong password from that
NASraddb/sites-available/default
post-auth {
Post-Auth-Type REJECT {
update reply {
Reply-Message = Your password is wrong, prepare to be eaten by flying
monkeys.
}
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating the same attribute in reply message
Shai Mizrachi wrote: My problem is that the attributes I have entered in the users file (under the specific user) are not present inside the Access-Accept message replied to the ASN-GW/NAS. The problem is that you did not read my response, and you did not follow the instructions in it. If you have no intention of listening to the help we give, don't ask for help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Repeating the same attribute in reply message
Hi, I am using FreeRadius 2.1.7-7.el5 on CentOS 5.6. The RPM package is the one came with the CentOS system. I a trying to send in the Access-Accept the same attribute twice but with different values (for Wimax QoS descriptor). I am using the += operator but still, the reply message contains only the first parameter and the second is just ignored. I would appriciate some help The attributes are: WiMAX-QoS-Id += 1, WiMAX-Schedule-Type += Best-Effort, WiMAX-Traffic-Priority += 1, WiMAX-Maximum-Sustained-Traffic-Rate += 200, WiMAX-QoS-Id += 2, WiMAX-Schedule-Type += Best-Effort, WiMAX-Traffic-Priority += 1, WiMAX-Maximum-Sustained-Traffic-Rate += 200, but I get only (from the Radius -X): WiMAX-QoS-Id = 1 WiMAX-Schedule-Type = Best-Effort WiMAX-Traffic-Priority = 1 WiMAX-Maximum-Sustained-Traffic-Rate = 200 Many Thanks, Shai. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating the same attribute in reply message
Shai Mizrachi wrote: I a trying to send in the Access-Accept the same attribute twice but with different values (for Wimax QoS descriptor). I am using the += operator but still, the reply message contains only the first parameter and the second is just ignored. It should work. But maybe 2.1.7 doesn't have the required WiMAX magic. What does the debug output show? Where are the attributes defined? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Repeating the same attribute in reply message
Shai Mizrachi wrote: The users are configured inside /etc/raddb/users (no D.B is used). All of the Wimax parameters are working fine, it is just the repeated attributes which are failing (not sure this is related to Wimax ?) It would help if you said what was *actually* heppening. I am attaching the output of the radiusd -X, followed by the user configured in the users file. ... R3-IF-Name += DHCP_Relay_SG, PDFID += 2, These attributes are NOT in the dictionaries for 2.1.7. If the server doesn't complain about them, it's because you've edited the dictionaries. If you're going to use Alvarion (which is NOT standard WiMAX), you will need to use the master branch from http://git.freeradius.org And you will need to: - delete the standard wimax alvarion dictionaries - enable the non-standard dictionary.wimax.alvarion, and dictionary.alvarion.wimax My $0.02 is that you should probably be asking Alvarion for help. They've gone out of their way to *not* implement the standard. Everything they do is broken, and they don't see a problem with that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Repeating the same attribute in reply message
Hi, My problem is that the attributes I have entered in the users file (under the specific user) are not present inside the Access-Accept message replied to the ASN-GW/NAS. The scenario is the same also for the regular Wimax attributes. The += parameter just doesn't work, the second attribute which is identical to a previous one (and provisioned with +=) is not being inserted to the Access-Accept message. Thanks, Shai. -Original Message- From: freeradius-users-bounces+mizrachi.shai=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+mizrachi.shai=gmail@lists.freeradius.or g] On Behalf Of Alan DeKok Sent: Tuesday, May 31, 2011 8:19 AM To: FreeRadius users mailing list Subject: Re: Repeating the same attribute in reply message Shai Mizrachi wrote: The users are configured inside /etc/raddb/users (no D.B is used). All of the Wimax parameters are working fine, it is just the repeated attributes which are failing (not sure this is related to Wimax ?) It would help if you said what was *actually* heppening. I am attaching the output of the radiusd -X, followed by the user configured in the users file. ... R3-IF-Name += DHCP_Relay_SG, PDFID += 2, These attributes are NOT in the dictionaries for 2.1.7. If the server doesn't complain about them, it's because you've edited the dictionaries. If you're going to use Alvarion (which is NOT standard WiMAX), you will need to use the master branch from http://git.freeradius.org And you will need to: - delete the standard wimax alvarion dictionaries - enable the non-standard dictionary.wimax.alvarion, and dictionary.alvarion.wimax My $0.02 is that you should probably be asking Alvarion for help. They've gone out of their way to *not* implement the standard. Everything they do is broken, and they don't see a problem with that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
Hello,
Just looking for a bit of advice here. I've been setting up freeradius
here recently, and whilst I'm mostly finished, there are a few points
that still need to be addressed. The main one is sending a (semi)
meaningful reply message when a user is rejected. Unfortunately, I'm
having trouble figuring out how to return a Reply-Message from with in
the inner tunnel. Well, to be more specific, returning that
Reply-Message within the final Access-Reject.
So far, I've figured that I can update outer.reply within the inner
tunnel, but this gets sent out in an Access-Challenge follows the
initial failure, but not subsequently. I've tried to put the update
clause within Post-Auth-Type REJECT {}, both in the inner tunnel and
outside as well, with no sucess (the inner one appears never to be
called), the outer one has no knowledge of what was set in the inner
one, so I could set an arbitrary message such as failed, but I was
hoping to be a little more helpful than that.
Any pointers as to where to look/what to do, or even if this is
possible, would be appreciated.
Thanks in advance,
Martin
--
Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance ITTelephone: +44 1782 734457
attachment: m_j_goldstone.vcf-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
On 24/05/11 12:16, Martin Goldstone wrote:
Hello,
Just looking for a bit of advice here. I've been setting up freeradius
here recently, and whilst I'm mostly finished, there are a few points
that still need to be addressed. The main one is sending a (semi)
meaningful reply message when a user is rejected. Unfortunately, I'm
having trouble figuring out how to return a Reply-Message from with in
the inner tunnel. Well, to be more specific, returning that
Reply-Message within the final Access-Reject.
Do you have this in eap.conf:
eap {
peap {
use_tunneled_reply = yes
}
}
?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
On 24/05/11 12:46, Phil Mayers wrote:
On 24/05/11 12:16, Martin Goldstone wrote:
Hello,
Just looking for a bit of advice here. I've been setting up freeradius
here recently, and whilst I'm mostly finished, there are a few points
that still need to be addressed. The main one is sending a (semi)
meaningful reply message when a user is rejected. Unfortunately, I'm
having trouble figuring out how to return a Reply-Message from with in
the inner tunnel. Well, to be more specific, returning that
Reply-Message within the final Access-Reject.
Do you have this in eap.conf:
eap {
peap {
use_tunneled_reply = yes
}
}
?
Yes, I have this in both the peap stanza and the ttls stanza. This
seems to be fine when access is accepted, for example if I set a
Reply-Message saying Welcome in the post-auth section of the
inner-tunnel config, I see this in the final access-accept message.
Also, the output from freeradius -X suggests that (in the case of a user
rejection) it gets the reply from the tunnel and that tunneled
authentication is rejected, but immediately after that it sends an
Access-Challenge out, and then upon receipt of another Access-Request,
goes in to peap, figures it has already rejected this one, and finally
sends an Access-Reject, but without any Reply-Message I tried to set in
the inner-tunnel. If I put something in the Post-Auth REJECT section of
the outer tunnel, it works, but unfortunately at this point it has no
idea of what it had previously set as a Reply-Message, so I can only
send an arbitrary string, such as Authentication Failure, which is a
little obvious and unhelpful.
Thanks
--
Martin GoldstoneKeele University, Keele,
IT Systems AdministratorStaffordshire, United Kingdom, ST5 5BG
Finance ITTelephone: +44 1782 734457
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
On 24/05/11 15:23, Martin Goldstone wrote: Yes, I have this in both the peap stanza and the ttls stanza. This seems to be fine when access is accepted, for example if I set a Reply-Message saying Welcome in the post-auth section of the inner-tunnel config, I see this in the final access-accept message. Also, the output from freeradius -X suggests that (in the case of a user rejection) it gets the reply from the tunnel and that tunneled Ah, damn... I've just remembered - the PEAP code doesn't save the attributes on reject :o( As you mentioned in your original email, the outer tunnel code doesn't have any of the useful info so can only set a generic message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
so, in inner-tunnel post-auth, set outer.reply to be whatever you want.. you can then, in the outer layer, query/check or use that reply. There's an additional round trip after the failure which is why Phil said it needs to be saved. I had a patch to save/restore it; but, it needs rework and I don't have the time to do it now.. :-( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Sending Reply-Message in Access-Reject (PEAP/MSCHAPv2)
On 05/24/2011 05:03 PM, Alan Buxey wrote: so, in inner-tunnel post-auth, set outer.reply to be whatever you want.. you can then, in the outer layer, query/check or use that reply. Unfortunately, outer.reply is an Access-Challenge. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
You've posted the RADIUS messages. But what about src/dst IP? Have you verified that the packets you *think* are the same actually match for src/dst IP, and src/dst port? If not, why not go check? That will show you WHY the packets are different: they're not the same packet! You're right again Alan, I was sniffing the wrong TUN interface (there are 13 on this server!) Indeed the reply-message is intact as expected. Problem resolved, thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-message stripped from access-reject response
Hi,
Using freeradius 1.1.3. Im trying to get freeradius to return a helpful
reply-message in access-rejects to the NAS but the reply-message seems
to get stripped from the access-reject packet. Ive configured the
reply-message as below in /etc/raddb/sites-enabled/default
post-auth {
sql
exec
Post-Auth-Type REJECT {
# Login failed
update reply {
Reply-Message = Login Failure
}
sql
attr_filter.access_reject
}
}
Using wireshark on the radius server, I can see the correct
reply-message AVP as below
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xda (218)
Length: 35
Authenticator: a6208196777dac6e68b45f647a46bc44
[This is a response to a request in frame 1]
[Time from request: 1.000227000 seconds]
Attribute Value Pairs
AVP: l=15 t=Reply-Message(18): Login Failure
Reply-Message: Login Failure
However, on the receiving NAS, using wireshark, there is no
reply-message AVP!
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xda (218)
Length: 20
Authenticator: 30636716e333da33ac25c8253097b608
[This is a response to a request in frame 1]
[Time from request: 1.107899000 seconds]
Any ideas on what I could be doing wrong, It would be much appreciated!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
sbcsgjm...@snkmail.com wrote: Using freeradius 1.1.3. Upgrade. Im trying to get freeradius to return a helpful reply-message in access-rejects to the NAS but the reply-message seems to get stripped from the access-reject packet. Ive configured the reply-message as below in /etc/raddb/sites-enabled/default Huh? 1.1.3 doesn't have sites-enabled. Figure out what you're doing. You won't be able to understand anything until then. Using wireshark on the radius server, sigh I have no idea why some people are deathly opposed to running the server in debugging mode. However, on the receiving NAS, using wireshark, there is no reply-message AVP! The packets are from different login attempts. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
On 05/14/2011 11:28 AM, sbcsgjm...@snkmail.com wrote:
Hi,
Using freeradius 1.1.3. Im trying to get freeradius to return a helpful
reply-message in access-rejects to the NAS but the reply-message seems
to get stripped from the access-reject packet. Ive configured the
reply-message as below in /etc/raddb/sites-enabled/default
post-auth {
sql
exec
Post-Auth-Type REJECT {
# Login failed
update reply {
Reply-Message = Login Failure
}
sql
attr_filter.access_reject
}
}
Using wireshark on the radius server, I can see the correct
reply-message AVP as below
Radius Protocol
Code: Access-Reject (3)
Packet identifier: 0xda (218)
Length: 35
Authenticator: a6208196777dac6e68b45f647a46bc44
[This is a response to a request in frame 1]
[Time from request: 1.000227000 seconds]
Attribute Value Pairs
AVP: l=15 t=Reply-Message(18): Login Failure
Reply-Message: Login Failure
However, on the receiving NAS, using wireshark, there is no
reply-message AVP!
What is between the radius server and NAS? Something must be, because
it's modifying the packet. Do you have an intermediate proxy server?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
On 14/05/2011 12:55, Alan DeKok aland-at-deployingradius.com |freeradius-mailinglist| wrote: sbcsgjm...@snkmail.com wrote: Using freeradius 1.1.3. Upgrade. My apologies, I made a mistake, the version is 2.1.7 Im trying to get freeradius to return a helpful reply-message in access-rejects to the NAS but the reply-message seems to get stripped from the access-reject packet. Ive configured the reply-message as below in /etc/raddb/sites-enabled/default Huh? 1.1.3 doesn't have sites-enabled. Figure out what you're doing. You won't be able to understand anything until then. Using wireshark on the radius server, sigh I have no idea why some people are deathly opposed to running the server in debugging mode. I'm not at all, I've run it in debugging mode and I can see the reply-message as below. I just wanted to make sure the packets on the wire were as expected. Sending Access-Reject of id 184 to 10.0.2.3 port 45566 Reply-Message = Login Failure However, on the receiving NAS, using wireshark, there is no reply-message AVP! The packets are from different login attempts. Im confused, the Packet identifier is the same. Can you explain how you know this. Thanks, much appreciated! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
What is between the radius server and NAS? Something must be, because it's modifying the packet. Do you have an intermediate proxy server? No, but the packets are being sent over an OpenVPN tunnel. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message stripped from access-reject response
sbcsgjm...@snkmail.com wrote: Im confused, the Packet identifier is the same. Can you explain how you know this. Thanks, much appreciated! The packets are different. Go read them. Find out what is modifying the packet *after* the RADIUS server sends the reply. Look at the *rest* of the fields of the packet. i.e. most of these kinds of problems are difficult to solve because people IGNORE information that's right in front of them. You've posted the RADIUS messages. But what about src/dst IP? Have you verified that the packets you *think* are the same actually match for src/dst IP, and src/dst port? If not, why not go check? That will show you WHY the packets are different: they're not the same packet! The src/dst IP/port will also tell you WHAT is in the middle of the RADIUS conversation. That something is the one mangling the packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom reply message
Franz wrote: Hi, I have freeradius 2.1.10 installed and was able to customize some reply messages to another language, the only one I am unable to change is the one for simultaneous login check, where would I chnage this reply message? You can always edit the Reply-Message in the post-auth section. See man unlang for attribute editing operators. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom reply message
The thing is, if I put it there, the user will get the same error message
either for max login or for failed login. I've tried putting it like so on
the session part:
sql {
reject = 1
}
if (reject){
update reply{
Reply-Message := already in use error
}
ok = reject
}
But no message is being returned.
On Wed, May 11, 2011 at 3:28 AM, Alan DeKok al...@deployingradius.comwrote:
Franz wrote:
Hi,
I have freeradius 2.1.10 installed and was able to customize some reply
messages to another language, the only one I am unable to change is the
one for simultaneous login check, where would I chnage this reply
message?
You can always edit the Reply-Message in the post-auth section.
See man unlang for attribute editing operators.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom reply message
Franz wrote: The thing is, if I put it there, the user will get the same error message either for max login or for failed login. I've tried putting it like so on the session part: Why? Why not in the Post-Auth-Type Reject section? You can look for a specific Reply-Message, and then re-write it to be something else. See man unlang Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Custom reply message
I got it working now, I was using the wrong operator = instead of := after
my if statement, here is my code:
if (reply:Reply-Message == \r\nYou are already logged in - access
denied\r\n\n){
update reply {
Reply-Message := Acc\xe8s refus\xe9, votre code
est d\xe9j\xe0 en connexion
}
}
You were right, any message can be intercepted this way and manipulated to
display something else.
Thanks
On Wed, May 11, 2011 at 3:00 PM, Alan DeKok al...@deployingradius.comwrote:
Franz wrote:
The thing is, if I put it there, the user will get the same error
message either for max login or for failed login. I've tried putting it
like so on the session part:
Why? Why not in the Post-Auth-Type Reject section?
You can look for a specific Reply-Message, and then re-write it to be
something else. See man unlang
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Custom reply message
Hi, I have freeradius 2.1.10 installed and was able to customize some reply messages to another language, the only one I am unable to change is the one for simultaneous login check, where would I chnage this reply message? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Runtime-Change of Reply-Message or Group-Membership
Hello! I have the following situation: If a user has some special attributes which I can check for example in the authorize section (eg. user is in baduser-Table), I would need to change the reply message once for the actual dialin-session. I think changing his usergroup-memberhip for the actual session would be the best way for doing that. So is there a way to temporarily change the usergroup for the reply-message in runtime? Best regards, Christian Kneissl O?. Ferngas Netz GmbH, Sitz Linz, FN 293793 z (LG Linz) Diese Nachricht ist vertraulich und nur f?r den/die Adressaten bestimmt. Falls Sie diese Nachricht irrt?mlich erhalten haben, verst?ndigen Sie bitte den Absender und l?schen Sie diese Nachricht sowie s?mtliche Anh?nge. Gem?? dem Telekommunikationsgesetz 2003 ist eine Weiterleitung an Unbefugte und/oder die Verwendung f?r irgendwelche Zwecke verboten. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variable expansions in Reply-Message
Isidor Zeuner wrote:
The problem with the unlang manpage is that it doesn't make it
very clear _when_ the expansions are processed.
The expansion gets processed when the attribute is processed. It
can't be earlier, because the attribute doesn't exist. It can't be
later, because then the *later* expansions wouldn't work.
i.e. Foo = %{User-Name}
Bar = %{Foo}.
What's Bar? It's not %{User-Name}.
Variables are
definitely expanded before the SQL server receives queries, as the
query templates use variables. I get the impression that the
expansions are not processed anymore on the SQL results.
I don't see why. That part of the code hasn't changed for a long time.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: variable expansions in Reply-Message
Isidor Zeuner wrote:
The problem with the unlang manpage is that it doesn't make it
very clear _when_ the expansions are processed.
The expansion gets processed when the attribute is processed. It
can't be earlier, because the attribute doesn't exist. It can't be
later, because then the *later* expansions wouldn't work.
Ok. I was just unsure if it this also holds when the attribute comes
from a source external to the configuration files, like an SQL query.
i.e. Foo = %{User-Name}
Bar = %{Foo}.
What's Bar? It's not %{User-Name}.
Interpreting this as a configuration file snippet, I fully agree. I
just need to find out how the processing of the SQL results map into
that. In the DATA TYPES section of the manpage, the distinction
between single-quoted, double-quoted and back-quoted strings is pretty
clear. Now the expansion behaviour on the SQL results which I am used
to from FreeRADIUS 1.1 is probably the same as the double-quoted
string expansion behaviour. Yet I do not get SQL results to be
expanded on FreeRADIUS 2.1, no matter if I store them unquoted or
double-quoted.
Variables are
definitely expanded before the SQL server receives queries, as the
query templates use variables. I get the impression that the
expansions are not processed anymore on the SQL results.
I don't see why. That part of the code hasn't changed for a long time.
Ok, thanks. I was just wondering because FreeRADIUS 1.1 _has_ already
been existing for a long time.
So I only need to look at the code which could interfere with the
expansion behaviour somehow, and which might have changed meanwhile.
Best regards,
Isidor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variable expansions in Reply-Message
Hi, when using FreeRADIUS 1.1, I could store RADIUS replies like Reply-Message := Hello, %u, and get the %u expanded to the username in the reply. After upgrading to FreeRADIUS 2.1, this doesn't seem to work anymore, the reply contains the unexpanded %u. Has this feature been removed, or do I have to configure it explicitly? Best regards, Isidor Zeuner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: variable expansions in Reply-Message
when using FreeRADIUS 1.1, I could store RADIUS replies like
Reply-Message := Hello, %u, and get the %u expanded to the username
in the reply. After upgrading to FreeRADIUS 2.1, this doesn't seem
to work anymore, the reply contains the unexpanded %u. Has this
feature been removed, or do I have to configure it explicitly?
Isidor,
Check the man page for unlang -- man unlang -- for current details on
strings and variables.
For User-Name, try: Reply-Message := Hello, %{User-Name}
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: variable expansions in Reply-Message
Thanks, Tim,
when using FreeRADIUS 1.1, I could store RADIUS replies like
Reply-Message := Hello, %u, and get the %u expanded to the username
in the reply. After upgrading to FreeRADIUS 2.1, this doesn't seem
to work anymore, the reply contains the unexpanded %u. Has this
feature been removed, or do I have to configure it explicitly?
Isidor,
Check the man page for unlang -- man unlang -- for current details on
strings and variables.
For User-Name, try: Reply-Message := Hello, %{User-Name}
I also tried %{User-Name}, but it made no difference.
The problem with the unlang manpage is that it doesn't make it
very clear _when_ the expansions are processed. Variables are
definitely expanded before the SQL server receives queries, as the
query templates use variables. I get the impression that the
expansions are not processed anymore on the SQL results.
Best regards,
Isidor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Updating Reply-Message in the inner-tunnel then reject-ing
Hello (again),
To aid debugging, I'm adding some Reply-Message values to upon rejection,
to indicate why we rejected it, in some obvious cases.
In the authorize stanza of the inner-tunnel virtual server, I can do:
update reply {
Reply-Message := '[cam.ac.uk] Inner identity in invalid format'
}
... this updates the Reply-Message in the inner-tunnel (so
'%{reply:Reply-Message}' returns this message) and appears to propagate
back out of the tunnel as '%{reply:Reply-Message}' is set to the same
thing outside it (i.e. back in the 'default' server), in the case of
intermediate challenges and the final 'Access-Accept'.
However, if I do this and then issue 'reject' to deny the login, the
Reply-Message doesn't seem to get out of the inner-tunnel and
'%{reply:Reply-Message}' outside it is empty. I've tried 'update
outer.reply { ... }' and that doesn't work, either. I presume it also
wouldn't get out to clients, either.
Is this a bug (this is 2.1.6) or am I doing this wrong?
- Bob
--
Bob Franklin rc...@cam.ac.uk +44 1223 748479
Network Division, University of Cambridge Computing Service
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing an attribute from reply message!
Hi,
I want to remove an attribute from reply message(account accept), how can I
should do that?
more detail:
I'm using some sqlcounter to count daily, weekly and monthly octets. After
their processing they add Session-Octets-Limit to my reply message.
I want to have a condition that if this value reach some special value (for
example 2Byte), then it removes Session-Octets-Limit from reply message.
I add this lines at the end of authorize section:
if(%{reply.Session-Octets-Limit} = 2) {
update reply {
Session-Octets-Limit [I don't know what!]
}
}
Is it correct? I don't know! am I should add a module or filter or else?
BTW how can I remove Session-Octets-Limit from reply message! Is it
possible?
Thanks.
Hamid Reza Hasani
--
Ya Ali
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Re: Defining Reply-Message for Access-Reject Packets
Thu, 21 Jan 2010 10:02:48 +0700 EasyHorpak.com wrote: An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/2010012 1/98ccb1d7/attachment.html Thanks so much EasyHorpak, it works now perfectly! LUIZ GUSTAVO DE VILLA SCANDELARI Skype: luiz.gustavo.wni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RES: Re: Defining Reply-Message for Access-Reject Packets
Luiz Gustavo de Villa Scandelari wrote: Thu, 21 Jan 2010 10:02:48 +0700 EasyHorpak.com wrote: An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/2010012 1/98ccb1d7/attachment.html Thanks so much EasyHorpak, it works now perfectly! LUIZ GUSTAVO DE VILLA SCANDELARI Skype: luiz.gustavo.wni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Add RESOVLED man. Please.. -- http://www.EasyHorpak.com - ???,???,???,?,?? http://www.EasyZoneCorp.net - ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac spoof http://www.thai-school.net - ,? ? EasyZone SuperLink - ?? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing an attribute from reply message!
Hi,
I want to remove an attribute from reply message(account accept), how can I
should do that?
more detail:
I'm using some sqlcounter to count daily, weekly and monthly octets. After
their processing they add Session-Octets-Limit to my reply message.
I want to have a condition that if this value reach some special value (for
example 2Byte), then it removes Session-Octets-Limit from reply message.
I add this lines at the end of authorize section:
if(%{reply.Session-Octets-Limit} = 2) {
update reply {
Session-Octets-Limit [I don't know what!]
}
}
Is it correct? I don't know! am I should add a module or filter or else?
BTW how can I remove Session-Octets-Limit from reply message! Is it
possible?
Thanks.
Hamid Reza Hasani
--
Ya Ali
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing an attribute from reply message!
Hamid Reza Hasani hr.has...@gmail.com wrote:
[snipped]
I add this lines at the end of authorize section:
if(%{reply.Session-Octets-Limit} = 2) {
update reply {
Session-Octets-Limit [I don't know what!and am too lazy
to read the docs or look through the
mailing list archives so asked the
lazyweb instead]
}
}
*sigh*
http://freeradius.org/radiusd/man/unlang.html#lbAH
What you are looking for is:
Session-Octets-Limit !* ANY
Although...this only was fixed in 2.1.8...you will see the workaround
for eariler version is:
Session-Octets-Limit -= '%{reply:Session-Octets-Limit}
Cheers
--
Alexander Clouter
.sigmonster says: Poverty begins at home.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Defining Reply-Message for Access-Reject Packets
Hi, I have a Freeradius server v2.1.7 with mysql 5 in CentOs 5.3. The two situations I need to define reply messages are: 1) Username correct but wrong password; 2) Username and password wrong or just Username wrong; Thanks to Arran Cudbard-Bell and EasyHorpak.com, I was able to solve the first situation, but I have no ideas how to solve the second situation, because the rlm_sql module returns notfound (User not found) and chap returns invalid causing a Access-Reject packet. Please can anyone give me an idea of how to solve that? Should I write some unlang at the sql or at the authorize section? Other point I need some help is about changing the dailycounter reply-message (Your maximum daily usage time has been reached ). I don´t have also any idea howto do that. I´ve read in some emails that I should change the source code in order to get it working, is that right? Hope to receive some answer. Thanks, LUIZ GUSTAVO DE VILLA SCANDELARI Skype: luiz.gustavo.wni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Defining Reply-Message for Access-Reject Packets
Luiz Gustavo de Villa Scandelari wrote:
Hi,
I have a Freeradius server v2.1.7 with mysql 5 in CentOs 5.3.
The two situations I need to define reply messages are:
1) Username correct but wrong password;
2) Username and password wrong or just Username wrong;
Thanks to Arran Cudbard-Bell and EasyHorpak.com, I was able to solve the
first situation, but I have no ideas how to solve the second situation,
because the rlm_sql module returns notfound ("User not found") and chap
returns invalid causing a Access-Reject packet. Please can anyone give me an
idea of how to solve that? Should I write some unlang at the sql or at the
authorize section?
Other point I need some help is about changing the dailycounter
reply-message ("Your maximum daily usage time has been reached "). I don?t
have also any idea howto do that. I?ve read in some emails that I should
change the source code in order to get it working, is that right?
Hope to receive some answer.
Thanks,
LUIZ GUSTAVO DE VILLA SCANDELARI
Skype: luiz.gustavo.wni
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for accept not found user try this man.
http://www.easyzonecorp.net/network/view.php?ID=1038
--
http://www.EasyHorpak.com
- ???,???,???,?,??
http://www.EasyZoneCorp.net
- ? internet ? Hotpsot ??? PPPoE ,Anti NetCut, Mac
spoof
http://www.thai-school.net
- ,? ?
EasyZone
SuperLink - ??
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing an attribute from reply message!
Hi,
Thanks for your answer, but there is a bit problem. I'm using 2.1.6 and so I
did your first solution, but radiusd can't run and reports this error:
/etc/raddb/sites-enabled/default[219]: Parse error after
Session-Octets-Limit
Error reading /etc/raddb/radius.conf
I wrote this code in authorize section:
if(%{reply.Session-Octets-Limit} = 2) {
update reply {
Session-Octets-Limit !* ANY
}
}
BTW is your second solution removed value of Session-Octets-Limit or removed
it completely?
thanks again
Hamid Reza Hasani
Ya Ali
On Wed, Jan 20, 2010 at 8:53 PM, Alexander Clouter a...@digriz.org.ukwrote:
Hamid Reza Hasani hr.has...@gmail.com wrote:
[snipped]
I add this lines at the end of authorize section:
if(%{reply.Session-Octets-Limit} = 2) {
update reply {
Session-Octets-Limit [I don't know what!and am too lazy
to read the docs or look through the
mailing list archives so asked the
lazyweb instead]
}
}
*sigh*
http://freeradius.org/radiusd/man/unlang.html#lbAH
What you are looking for is:
Session-Octets-Limit !* ANY
Although...this only was fixed in 2.1.8...you will see the workaround
for eariler version is:
Session-Octets-Limit -= '%{reply:Session-Octets-Limit}
Cheers
--
Alexander Clouter
.sigmonster says: Poverty begins at home.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Neville,
my postauth_query is:
postauth_query = INSERT INTO ${postauth_table} (username, reply,
accttime, message) VALUES ('%{SQL-User-Name}', '%{reply:Packet-Type}',
TO_DATE('
%S','-mm-dd hh24:mi:ss'),
'%{%{Module-Failure-Message}:-%{%{reply:Reply-Message}:-Your generic
message}}') Adjust accttime for MySQL
with this you can catch the error message of the module that reject the
user, then the reply message and as last chance a generic message. you
can swap %{Module-Failure-Message} with %{reply:Reply-Message} if your
reply message is more important
to strip \r\n in modules/attr_rewrite I added:
attr_rewrite sanereplymessage {
attribute = Reply-Message
# may be packet, reply, proxy, proxy_reply or config
searchin = reply
searchfor = \n|\r
replacewith =
ignore_case = no
new_attribute = no
max_matches = 10
## If set to yes then the replace string will be
## appended to the original string
append = no
}
and in sites-enables/default
Post-Auth-Type REJECT {
..
sanereplymessage
sql
..
}
Andrea
Neville ha scritto:
Thanks, this works a treat and its just what I needed.
Is there anyway to strip the \r\n at the start and end of the
Reply-Message before writing the TABLE, as it ends up in the tables as:-
=0D=0AYou are already logged in - access denied=0D=0A=0A
Thx
Nev
hi,
configure postauth_query in dialup.conf,
postauth_query=UPDATE POSTREPLY SET
REPLYMESSAGE='%{reply:Reply-Message}' WHERE USERNAME='%{SQL-User-Name}'
than , you can query the message from DB SERVER.
BTW:
if reject user, then ...
#
# Access-Reject packets are sent through the REJECT
sub-section of the
# post-auth section.
#
#
Post-Auth-Type REJECT {
%{sql:UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE
USERNAME='%{SQL-User-Name}' }
}
Message: 1
Date: Sat, 16 Jan 2010 20:55:45 -
From: Neville n...@itsnev.co.uk
Subject: Reply-Message
To: freeradius-users@lists.freeradius.org
Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc
Content-Type: text/plain; charset=iso-8859-1
Hi,
Is there any way to get the reply message loaded into a SQL TABLE,
which a user can then query on to see the last reply based on there
username?
Thx
Nev
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html
--
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
You can put an entry for the Reply-Message attribute in the radreply
table.
For example, if you want to send the message Hi Bob to user bob,
you would
add this entry to radreply:
usernameattribute op value
bob Reply-Message :=Hi Bob
The Reply-Message attribute will be sent back in the Access-Accept
packet
sent back to the NAS. Of course, this assumes that you have FreeRADIUS
configured to use SQL, which is documented in the raddb/sql.conf file
and
http://wiki.freeradius.org/SQL_HOWTO.
Tim
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Somewhere in the world there's somebody better than me... but I haven't
met him yet.
Ing. Andrea Gabellini
Email: andrea.gabell...@telecomitalia.sm
Skype: andreagabellini
Tel: (+378) 0549 886111
Fax: (+378) 0549 886188
Telecom Italia San Marino S.p.A.
Strada degli Angariari, 3
47891 Rovereta
Republic of San Marino
http://www.telecomitalia.sm
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
hi,
configure postauth_query in dialup.conf,
postauth_query=UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}'
WHERE USERNAME='%{SQL-User-Name}'
than , you can query the message from DB SERVER.
BTW:
if reject user, then ...
#
# Access-Reject packets are sent through the REJECT sub-section of the
# post-auth section.
#
#
Post-Auth-Type REJECT {
%{sql:UPDATE POSTREPLY SET
REPLYMESSAGE='%{reply:Reply-Message}' WHERE USERNAME='%{SQL-User-Name}' }
}
Message: 1
Date: Sat, 16 Jan 2010 20:55:45 -
From: Neville n...@itsnev.co.uk
Subject: Reply-Message
To: freeradius-users@lists.freeradius.org
Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc
Content-Type: text/plain; charset=iso-8859-1
Hi,
Is there any way to get the reply message loaded into a SQL TABLE, which a
user can then query on to see the last reply based on there username?
Thx
Nev
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html
--
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
You can put an entry for the Reply-Message attribute in the radreply table.
For example, if you want to send the message Hi Bob to user bob, you would
add this entry to radreply:
usernameattribute op value
bob Reply-Message :=Hi Bob
The Reply-Message attribute will be sent back in the Access-Accept packet
sent back to the NAS. Of course, this assumes that you have FreeRADIUS
configured to use SQL, which is documented in the raddb/sql.conf file and
http://wiki.freeradius.org/SQL_HOWTO.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Thanks, this works a treat and its just what I needed.
Is there anyway to strip the \r\n at the start and end of the
Reply-Message before writing the TABLE, as it ends up in the tables as:-
=0D=0AYou are already logged in - access denied=0D=0A=0A
Thx
Nev
hi,
configure postauth_query in dialup.conf,
postauth_query=UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}'
WHERE USERNAME='%{SQL-User-Name}'
than , you can query the message from DB SERVER.
BTW:
if reject user, then ...
#
# Access-Reject packets are sent through the REJECT sub-section of
the
# post-auth section.
#
#
Post-Auth-Type REJECT {
%{sql:UPDATE POSTREPLY SET REPLYMESSAGE='%{reply:Reply-Message}' WHERE
USERNAME='%{SQL-User-Name}' }
}
Message: 1
Date: Sat, 16 Jan 2010 20:55:45 -
From: Neville n...@itsnev.co.uk
Subject: Reply-Message
To: freeradius-users@lists.freeradius.org
Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc
Content-Type: text/plain; charset=iso-8859-1
Hi,
Is there any way to get the reply message loaded into a SQL TABLE, which a
user can then query on to see the last reply based on there username?
Thx
Nev
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html
--
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
You can put an entry for the Reply-Message attribute in the radreply
table.
For example, if you want to send the message Hi Bob to user bob, you
would
add this entry to radreply:
usernameattribute op
value
bob Reply-Message :=Hi Bob
The Reply-Message attribute will be sent back in the Access-Accept packet
sent back to the NAS. Of course, this assumes that you have FreeRADIUS
configured to use SQL, which is documented in the raddb/sql.conf file and
http://wiki.freeradius.org/SQL_HOWTO.
Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Neville,您好! so, security reasons. 8-( 1,modify the sql_escape_func(char *out, size_t outlen, const char *in) in rlm_sql.c, but there is bad idea. 2, expand rlm_sql and db driver,support parameter binding , and skip convert parameter. === 2010-01-18 您在来信中写道:=== Thanks, this works a treat and its just what I needed. Is there anyway to strip the \r\n at the start and end of the Reply-Message before writing the TABLE, as it ends up in the tables as:- =0D=0AYou are already logged in - access denied=0D=0A=0A Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-Message
Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Reply-Message
You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim From: freeradius-users-bounces+tim.sylvester=networkradius@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius@lists.freer adius.org] On Behalf Of Neville Sent: Saturday, January 16, 2010 12:56 PM To: freeradius-users@lists.freeradius.org Subject: Reply-Message Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-Message
Message: 1 Date: Sat, 16 Jan 2010 20:55:45 - From: Neville n...@itsnev.co.uk Subject: Reply-Message To: freeradius-users@lists.freeradius.org Message-ID: 1c54f0abdafe4ef7b9f3f9d4ec3ef...@nevpc Content-Type: text/plain; charset=iso-8859-1 Hi, Is there any way to get the reply message loaded into a SQL TABLE, which a user can then query on to see the last reply based on there username? Thx Nev -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20100116/14c5b8db/attachment.html -- Message: 2 Date: Sat, 16 Jan 2010 13:15:58 -0800 From: Tim Sylvester tim.sylves...@networkradius.com Subject: RE: Reply-Message To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com Content-Type: text/plain; charset=us-ascii You can put an entry for the Reply-Message attribute in the radreply table. For example, if you want to send the message Hi Bob to user bob, you would add this entry to radreply: usernameattribute op value bob Reply-Message :=Hi Bob The Reply-Message attribute will be sent back in the Access-Accept packet sent back to the NAS. Of course, this assumes that you have FreeRADIUS configured to use SQL, which is documented in the raddb/sql.conf file and http://wiki.freeradius.org/SQL_HOWTO. Tim Hi Tim, what I'm after capturing in an SQL Table is the reason for Rejection as these messages are not past to the client, so in our customers PORTAL, we would like to be able to provide them with a list of the most recent ERRORs associated with their account. Sending Access-Reject of id 113 to 91.204.210.136 port 52904 Reply-Message := \r\nYou are already logged in - access denied\r\n\n Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, Alternatively the 'smart server-end' could just send an Access-Accept :) ah..but then things get logged and you have a session...and most likely then a local address at the visited site and you'll then have to use a VPN etc. with the nefarious way, all traffic is transmitted via the home RADIUS server...unfiltered, unlogged. nasty. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
# # Make Reply-Message RFC3748 2.6.5 compliant # * # # Make Reply-Message RFC3579 2.6.5 compliant # Odd that the mime encoded GPG sig validates ok, but the in-line one doesn't... I wonder what's going on there. signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: This isn't actually mandated anywhere though is it? This is just random vendor specific behaviour ? IIRC, there's a suggestion to do this, but the actual cut-off number is vendor-specific. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, IIRC, there's a suggestion to do this, but the actual cut-off number is vendor-specific. ..and i guess this cutoff is reported as an EAP failure and therefore kit configured to block/deny access will mean the eg the 3rd tunnel creation will be the last for some time alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 8/6/09 11:27, a.l.m.bu...@lboro.ac.uk wrote: Hi, IIRC, there's a suggestion to do this, but the actual cut-off number is vendor-specific. ..and i guess this cutoff is reported as an EAP failure and therefore kit configured to block/deny access will mean the eg the 3rd tunnel creation will be the last for some time Yes. Some kit has a configurable 'quiet-period'. So that after the EAP-Success or EAP-Failure message, it'll wait for a specified period before allowing another authentication attempt on that port. At least this is true of ProCurve products, and it seems like a sensible feature so I'm sure Cisco et al will have implemented it too. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
a.l.m.bu...@lboro.ac.uk wrote: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network? For TTLS, just use vendor-specific attributes inside of the TTLS tunnel. It shouldn't be too hard to modify the open source supplicants to look for a message, and do *something* with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Reply-message and supplicant
A couple comments on this thread... The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Faillike a Reject doesn't carry attributes, so a Reply would have to be turned into a Notification message by a smart AP and sent as an exchange prior to the Success/Fail. That doesn't look likely. An EAP method can send it's own Notification message including any text it wants. This will get wrapped in RADIUS with an EAP message attribute in an Access-Challenge, and go the normal path. The next problem is getting the supplicant to do anything with it, like show the user. This can be a problem if your supplicant is Windows. The Windows wireless EAP system silently discards EAP Notification messages on XP. On Vista, an EAPHost API method can get them if they ask. A RasEap API method is SOL, because they are discarded and not responded to, breaking the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for Vista. Dave.Jun 8, 2009 06:38:05 AM, freeradius-users@lists.freeradius.org wrote: a.l.m.bu...@lboro.ac.uk wrote: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network?For TTLS, just use vendor-specific attributes inside of the TTLS tunnel.It shouldn't be too hard to modify the open source supplicants to lookfor a message, and do *something* with it.Alan DeKok.-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Reply-message and supplicant
hi, ome useful information...however, people will be far more likely to read your email if you send it as plain text rather than HTML. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 8/6/09 13:26, David Mitton wrote: A couple comments on this thread... The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry attributes, so a Reply would have to be turned into a Notification message by a smart AP and sent as an exchange prior to the Success/Fail. That doesn't look likely. ProCurve wired switches do this in the earlier software versions H.10.74. They actually send the EAP-Notification *after* the EAP-Success or EAP-Failure which is what breaks WPA-Supplicant. As far as its state machines are concerned the EAP-Success/EAP-Failure messages signifies the end of authentication... so if it receives an EAP-Notification message *after* the EAP-Success/EAP-Failure, it sees it as the NAS requesting to restart authentication. An EAP method can send it's own Notification message including any text it wants. This will get wrapped in RADIUS with an EAP message attribute in an Access-Challenge, and go the normal path. The next problem is getting the supplicant to do anything with it, like show the user. WPA_Supplicant shows the contents of EAP-Notifications, the Mac OSX supplicant logs the message to /var/system.log, windows supplicant largely ignores them. This can be a problem if your supplicant is Windows. The Windows wireless EAP system silently discards EAP Notification messages on XP. On Vista, an EAPHost API method can get them if they ask. A RasEap API method is SOL, because they are discarded and not responded to, breaking the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for Vista. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 8/6/09 13:26, David Mitton wrote: A couple comments on this thread... The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry attributes, so a Reply would have to be turned into a Notification message by a smart AP and sent as an exchange prior to the Success/Fail. That doesn't look likely. ProCurve wired switches do this in the earlier software versions H.10.74. They actually send the EAP-Notification *after* the EAP-Success or EAP-Failure which is what breaks WPA-Supplicant. As far as its state machines are concerned the EAP-Success/EAP-Failure messages signifies the end of authentication... so if it receives an EAP-Notification message *after* the EAP-Success/EAP-Failure, it sees it as the NAS requesting to restart authentication. http://tools.ietf.org/html/rfc3748#section-5.2 Implies that if you send EAP-Notification with an EAP-Success/Failure you are being a bad bad boy. However that is me reading 'prior to completion' meaning any packet before EAP-Success/Failure which does not include that final packet. Cheers -- Alexander Clouter .sigmonster says: MOKE DAT YIGARETTE -- The Last Coin, James P. Blaylock - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? Wait are you talking about something really quite evil here? Like using EAP as a VPN tunnel ?!?! yes. if the supplicant is code I have written and the server is running a nice bit of PHP or PERL code that i have written then.hmmm PoC ? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: Alexander Clouter wrote: a.l.m.bu...@lboro.ac.uk wrote: No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. I have an entry in my 'users' file for if people insist on sending their username without a realm ... hmm that's pretty standard behaviour. We don't require FQUNs either. Though I have no idea why you still insist on using user files for policies. There's this new fangled policy language you know :P We *demand* it as otherwise the helpdesk get lazy and users start complaining that 'eduroam' does not work. As for using the user file for policies, why would I care? It works, does what I need. For me, I don't particularly find the unlang stuff particularly compact/natural and it's a bit verbose for my liking; I have not lost anything not using it. For some things I do use it, things that cannot be expressed in the users file. Whatever looks the cleanest and more natural way, is what I use. Much like why I use LaTeX for presentations rather than some new 'fangled' tool for giving presentations :P or mix inner/outer domains, insert other braindead-ness. It's more for me whilst looking through my SQL logs, however I also slip into my Reply-Message a comment if the authentication attempt was against a test (non-production use) account. Yeah that's fine... Just strip out the Reply-Message before you send the packet. Do you know of an *alternative* way to send human readable messages to sysadmin's at other sites? Scenario: The user's we block for AUP violations or whatever might be roaming. Users *lie*, always, and cannot be trusted. If I just straightly block the user and the user grumbles to the remote sysadmin they are going to pester me. If they look in their logs there is a possibility that they are logging Reply-Message and can see this user is actually blocked and nothing on a technical level is wrong. It might be upsetting the RFC's, but I challenge you (for example) to pick a selection of IPv6 related RFC's that do not clash with one another. I'm guessing Alan could probably point out where the RFC's conflict against one another in the RADIUS world too. If my Reply-Message's break something, I'll stop sending them. I think you need to stop worrying about the Reply-Message's and maybe look out for those borken folk who keep insisting telling me to put their users in a particular VLAN, maybe we could just get JANET to refuse those IAS users. :) crack-pipe question of the day: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? Wait are you talking about something really quite evil here? Like using EAP as a VPN tunnel ?!?! Again, why *bother*. If someone is sending a malicious RADIUS server an Access-Request message, all it has to do is send back an Access-Accept. Hell you can then tunnel over something that probably has less latency and is just as stealthy like DNS. Hell or just use a real VPN, or forget the lot and just use a 3G modem. Cheers -- Alexander Clouter .sigmonster says: Try `stty 0' -- it works much better. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? Wait are you talking about something really quite evil here? Like using EAP as a VPN tunnel ?!?! yes. if the supplicant is code I have written and the server is running a nice bit of PHP or PERL code that i have written then.hmmm PoC You just have to make it appear to the NAS that you're doing EAP. You don't actually have to *do* EAP. There's no reason why you couldn't tunnel IPv4 so long as the packets had a valid EAP header prepended to them. Send your EAP start, send the identity response... then you can pretty much do whatever you like, so long as it has a valid EAP header and the end server is in on the trick. Had you got any special plans for this other than annoying administrators by filling up their logs with very large EAP messages ? Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Alexander Clouter wrote: Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: Alexander Clouter wrote: a.l.m.bu...@lboro.ac.uk wrote: No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. I have an entry in my 'users' file for if people insist on sending their username without a realm ... hmm that's pretty standard behaviour. We don't require FQUNs either. Though I have no idea why you still insist on using user files for policies. There's this new fangled policy language you know :P We *demand* it as otherwise the helpdesk get lazy and users start complaining that 'eduroam' does not work. Hmm that's a good point. I guess the difference is that we were doing 802.1X before eduroam and didn't want to effect legacy behaviour. Looks like were going down the everything under one SSID route now, so 'It just works' when users roam. Maybe we'll have to look at getting rid of none qualified usernames. As for using the user file for policies, why would I care? It works, does what I need. It doesn't scale (for very complex policies) , it doesn't promote code reuse, it's limited in terms of it's applications. But if it works for you... For me, I don't particularly find the unlang stuff particularly compact/natural and it's a bit verbose for my liking; I have not lost anything not using it. For some things I do use it, things that cannot be expressed in the users file. Whatever looks the cleanest and more natural way, is what I use. Much like why I use LaTeX for presentations rather than some new 'fangled' tool for giving presentations :P Yeah, you're just weird :) or mix inner/outer domains, insert other braindead-ness. It's more for me whilst looking through my SQL logs, however I also slip into my Reply-Message a comment if the authentication attempt was against a test (non-production use) account. Yeah that's fine... Just strip out the Reply-Message before you send the packet. Do you know of an *alternative* way to send human readable messages to sysadmin's at other sites? Eduroam VSAs. The EAP/Reply message combination is disallowed for a good reason, and i've seen it break things in real world scenarios. ProCurve Switch + Linux Laptop (any version of WPA Supplicant) + Reply-Message + EAP-Message = Rapid Re-Authentication. This has been discussed before on list. Jouni Malinen acknowledged the issue, but quite rightly did nothing to correct it. In the end it's the RADIUS server breaking the RFC, it's not the supplicants job to deal with Sys Admins screwups. Scenario: The user's we block for AUP violations or whatever might be roaming. Users *lie*, always, and cannot be trusted. If I just straightly block the user and the user grumbles to the remote sysadmin they are going to pester me. If they look in their logs there is a possibility that they are logging Reply-Message and can see this user is actually blocked and nothing on a technical level is wrong. They're mandated to record all packets sent and received to/from the NRPS. It might be upsetting the RFC's, but I challenge you (for example) to pick a selection of IPv6 related RFC's that do not clash with one another. RFC 3579: 2.6.5. Displayable Messages The Reply-Message attribute, defined in [RFC2865], Section 5.18, indicates text which may be displayed to the peer. This is similar in concept to EAP Notification, defined in [RFC2284]. When sending a displayable message to a NAS during an EAP conversation, the RADIUS server MUST encapsulate displayable messages within EAP-Message/EAP-Request/Notification attribute(s). Reply-Message attribute(s) MUST NOT be included in any RADIUS message containing an EAP-Message attribute. An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. I don't give a damn whether they conflict (though I don't believe this particular section conflicts with any other RFCs) ; that's not the point. The case documented above will undoubtedly have been seen at sites other than ours. It puts load on the NRPS it puts loads on the ORPS and it fills our RADIUS server logs with spurious entries. I'm guessing Alan could probably point out where the RFC's conflict against one another in the RADIUS world too. If my Reply-Message's break something, I'll stop sending
Re: Reply-message and supplicant
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: ... hmm that's pretty standard behaviour. We don't require FQUNs either. Though I have no idea why you still insist on using user files for policies. There's this new fangled policy language you know :P We *demand* it as otherwise the helpdesk get lazy and users start complaining that 'eduroam' does not work. Hmm that's a good point. I guess the difference is that we were doing 802.1X before eduroam and didn't want to effect legacy behaviour. Looks like were going down the everything under one SSID route now, so 'It just works' when users roam. Maybe we'll have to look at getting rid of none qualified usernames. As us folks down here in London get (probably) more roaming than non-high university density areas it's a problem that's regular seen. It's a simple and effective way to avoid this problem and it seems to be behind about 80% of the reasons when users cannot roam. Do you know of an *alternative* way to send human readable messages to sysadmin's at other sites? Eduroam VSAs. The EAP/Reply message combination is disallowed for a good reason, and i've seen it break things in real world scenarios. [snipped RFC grumblings] Okay, okay, during my summer RADIUS refresh work I'll fix this. Cheers -- Alexander Clouter .sigmonster says: Life is a series of rude awakenings. -- R. V. Winkle - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell wrote: There's no reason why you couldn't tunnel IPv4 so long as the packets had a valid EAP header prepended to them. Send your EAP start, send the identity response... then you can pretty much do whatever you like, so long as it has a valid EAP header and the end server is in on the trick. Most AP's will hang up on the EAP session after 40-50 packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Alan DeKok wrote: Arran Cudbard-Bell wrote: There's no reason why you couldn't tunnel IPv4 so long as the packets had a valid EAP header prepended to them. Send your EAP start, send the identity response... then you can pretty much do whatever you like, so long as it has a valid EAP header and the end server is in on the trick. Most AP's will hang up on the EAP session after 40-50 packets. Aww; and it seemed like such a nice concept. Most include a 'quiet-period' before they'll allow the supplicant to reattempt authentication. This isn't actually mandated anywhere though is it? This is just random vendor specific behaviour ? Arran signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. crack-pipe question of the day: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? hmmm alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
a.l.m.bu...@lboro.ac.uk wrote: No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. I have an entry in my 'users' file for if people insist on sending their username without a realm, or mix inner/outer domains, insert other braindead-ness. It's more for me whilst looking through my SQL logs, however I also slip into my Reply-Message a comment if the authentication attempt was against a test (non-production use) account. crack-pipe question of the day: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? Alternatively the 'smart server-end' could just send an Access-Accept :) Cheers -- Alexander Clouter .sigmonster says: Available while quantities last. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune'
together and see if anyone notices.
I've been having a lok at such packets on the national proxy and wonder
if its because people are just blamming a reply-message in at an wrong
stage...eg during Auth? would a default entry in use users file or
SQL group reply table cause such wrongness? most likely.
#
# Make Reply-Message RFC3748 2.6.5 compliant
#
rem_reply_message_if_eap {
if(%{reply:EAP-Message}){
update reply {
Reply-Message -= %{reply:Reply-Message}
}
}
else {
noop
}
}
It's not exactly hard...
crack-pipe question of the day:
could reply messages be used with some smart server-end code to provide
a data communication channel? ie user A has code that attempts to use EAP
with special username coding...the remote server is designed
to throw responses in EAP messages...which the modified supplicant
on the client can then extract? this could tunnel traffic through
an 802.1X restricted network? in fact, is the inner EAP traffic limited
at all? once the authentication outer layer is started i should be
able to just keep throwing data back/forward through that tube?
Completely dependent on the EAP method. Though I suspect some NAS /
Supplicants will set a maximum time limit on how long authentication can
take to complete.
Arran
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkorDw8ACgkQcaklux5oVKJWoACfXpBXQf9cbKhZ08GCv74wIc9D
nKwAnjOjHQTBuixKthuFT5mhJirfMab1
=bttU
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alexander Clouter wrote: a.l.m.bu...@lboro.ac.uk wrote: No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. I've been having a lok at such packets on the national proxy and wonder if its because people are just blamming a reply-message in at an wrong stage...eg during Auth? would a default entry in use users file or SQL group reply table cause such wrongness? most likely. I have an entry in my 'users' file for if people insist on sending their username without a realm ... hmm that's pretty standard behaviour. We don't require FQUNs either. Though I have no idea why you still insist on using user files for policies. There's this new fangled policy language you know :P or mix inner/outer domains, insert other braindead-ness. It's more for me whilst looking through my SQL logs, however I also slip into my Reply-Message a comment if the authentication attempt was against a test (non-production use) account. Yeah that's fine... Just strip out the Reply-Message before you send the packet. crack-pipe question of the day: could reply messages be used with some smart server-end code to provide a data communication channel? ie user A has code that attempts to use EAP with special username coding...the remote server is designed to throw responses in EAP messages...which the modified supplicant on the client can then extract? this could tunnel traffic through an 802.1X restricted network? in fact, is the inner EAP traffic limited at all? once the authentication outer layer is started i should be able to just keep throwing data back/forward through that tube? Wait are you talking about something really quite evil here? Like using EAP as a VPN tunnel ?!?! Arran -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkorEF8ACgkQcaklux5oVKICSwCcCga36CjkrqGqbrr3YCyQGFfk LRkAoIIMlDiuHXHBPfamcwSCkpKf5KYs =w7Az -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply-message and supplicant
Hi, Is possible that Reply-message can be seen from laptops running the supplicant? Thanks in advance! -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information alan Does file attrs.access_reject has to with you are talking about? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 5/6/09 15:21, a.l.m.bu...@lboro.ac.uk wrote: Hi, Hi Sergio, Is possible that Reply-message can be seen from laptops running the supplicant? Not with EAP no. You can use EAP-Notification packets, but very few supplicants display the contents to the user, and the server doesn't support their generation. which is why rather useful messages can be sent from RADIUS server to RADIUS server so that admins can see what is going on but the users dont get to see such information No they can't. Reply-Messages are prohibited in packets containing EAP-Message attributes. Which is why I specified an alternate VSA :P Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
2009/6/5 a.l.m.bu...@lboro.ac.uk: Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for the stupid question, what does EAP-Message =* ANY mean? -- -- Open Kairos http://www.openkairos.com Watch More TV http://sebelk.blogspot.com Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 5/6/09 16:18, Sergio Belkin wrote: 2009/6/5a.l.m.bu...@lboro.ac.uk: Hi, Does file attrs.access_reject has to with you are talking about? in a way - that file lists the attributes that are allowed to pass after an access reject - you still have to set eg the Reply-Message *or some other VSA* to let the remote site know alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry for the stupid question, what does EAP-Message =* ANY mean? Allow any value for EAP-Message. -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Hi, No they can't. Reply-Messages are prohibited in packets containing EAP-Message attributes. really? well...I guess if you believe in RFC 3579 and hope that everyone read section 2.2 of that - invalid packet discussion then you'd hope so... however, I see tonnes of packets proxied through the NRPS that have EAP-Message and Reply-Message in the same packet. Which is why I specified an alternate VSA :P aye. Microsoft actually have a 'Reason-Code' that is interesting... http://technet.microsoft.com/en-us/library/cc785145.aspx alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote: Hi, No they can't. Reply-Messages are prohibited in packets containing EAP-Message attributes. really? well...I guess if you believe in RFC 3579 and hope that everyone read section 2.2 of that - invalid packet discussion then you'd hope so... however, I see tonnes of packets proxied through the NRPS that have EAP-Message and Reply-Message in the same packet. None of them are coming from Sussex though :) Which is why I specified an alternate VSA :P aye. Microsoft actually have a 'Reason-Code' that is interesting... http://technet.microsoft.com/en-us/library/cc785145.aspx That is indeed interesting. Sent you an email off-list. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reply-message and supplicant
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote: On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote: Hi, No they can't. Reply-Messages are prohibited in packets containing EAP-Message attributes. really? well...I guess if you believe in RFC 3579 and hope that everyone read section 2.2 of that - invalid packet discussion then you'd hope so... however, I see tonnes of packets proxied through the NRPS that have EAP-Message and Reply-Message in the same packet. None of them are coming from Sussex though :) No one in London wants to go to Sussex though and from my logs it does not look like anyway from Sussex wants to go to London either ;) If someone gives me something better to use in my RADIUS packets then I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune' together and see if anyone notices. Cheers -- Alexander Clouter .sigmonster says: But this one goes to eleven. -- Nigel Tufnel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
insert something into reply message
Version 2.0.4 We use digest authentication. It works properly. (with a little problem I will ask in another thread) The essential part of the debug: Thu May 21 09:41:17 2009 : Debug: ++[digest] returns ok Thu May 21 09:41:17 2009 : Auth: Login OK: [...@10.14.2.10/via Auth-Type = DIGEST] (from client 10.14.1.5 port 0 cli 5...@10.14.2.10) The reply message get at client 10.14.1.5 but our system expects in the reply the Session-Timeout. How to insert Session-Timeout into the reply message? I've read thoughtfully all parts of the configs where that parameter is mentioned. I've tried many - syntactically good an bad - config line without any success. Have I problem with reading? Ludwig M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert something into reply message
Version 2.0.4 We use digest authentication. It works properly. (with a little problem I will ask in another thread) The essential part of the debug: Thu May 21 09:41:17 2009 : Debug: ++[digest] returns ok Thu May 21 09:41:17 2009 : Auth: Login OK: [...@10.14.2.10/via Auth-Type = DIGEST] (from client 10.14.1.5 port 0 cli 5...@10.14.2.10) The reply message get at client 10.14.1.5 but our system expects in the reply the Session-Timeout. How to insert Session-Timeout into the reply message? That's radius.log file. You won't see any reply attributes there. Post the output of radiusd -X and your user entry. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert something into reply message
Post the output of radiusd -X and your user entry. The relevant part of the freeradius output is: --- rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type DIGEST auth: type digest +- entering group authenticate rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = tequet Digest-Nonce = 4a1527742cb58a911390a13daeab535c71b92a74 Digest-URI = sip: Digest-Method = INVITE Digest-CNonce = 1242900340 Digest-Nonce-Count = 0001 Digest-QOP = auth Digest-User-Name = user8 A1 = user8:tequet:pass8 A2 = INVITE:sip: H(A1) = 1a2bb1fd4713741dbc8dcd841b2754c5 H(A2) = 4c2df2005737eb44dbf0c9993285dc46 KD = 1a2bb1fd4713741dbc8dcd841b2754c5:4a1527742cb58a911390a13daeab535c71b92a74:0001:1242900340:a uth:4c2df2005737eb44dbf0c9993285dc46 EXPECTED 10c0611670df125d841de06019a0ecd7 RECEIVED 10c0611670df125d841de06019a0ecd7 ++[digest] returns ok Login OK: [...@10.14.2.10/via Auth-Type = DIGEST] (from client 10.14.1.5 port 0 cli 5...@10.14.2.10 ) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 199 to 10.14.1.5 port 40646 Finished request 0. Going to the next request -- The end of the users file (its other part is unchanged) --- user0 Cleartext-Password := pass0 user8 Cleartext-Password := pass8 5...@10.14.2.10Cleartext-Password := pass8 - Ludwig M. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: insert something into reply message
Hi,
How to insert Session-Timeout into the reply message?
use what ever method you want to insert it PERL, unlang etc.
a simple 'fix' that would be global in this example:
for 2.1.x in section of sites-enabled/default
post-auth {
Post-Auth-Type REJECT {
attr_filter.access_reject
}
update reply {
Session-Timeout = 3600
}
}
that should slap a 3600 second (1 hour) session-timeout to any reply
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing Reply-Message on failed authentication, was Re: NLTM_AUTH (PAP) and MS-CHAP2 together?
On Sun, 4 Jan 2009, Alan DeKok wrote: Mike Diggins wrote: How do I stop it from sending the same Reply message when the user enters a incorrect password. Right now the Reject responds like this: Sending Access-Reject of id 22 to 192.168.2.2 port 1025 Reply-Message = Group=NetWorkers Use attr_filter to delete it. Or, update the rules to add the Reply-Message in the post-auth section. I'm just getting back to this problem. I'm lost as to how to implement either of these solutions. To summarise, I want to either remove, or just not send, any Reply-Message when the user fails authentication. Where would I put this attr_filter to delete it, and what does the attr_filer look like? I imagine this is documented, but I can't find the relevant bits. -Mike - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing Reply-Message on failed authentication, was Re: NLTM_AUTH(PAP) and MS-CHAP2 together?
I'm just getting back to this problem. I'm lost as to how to implement
either of these solutions. To summarise, I want to either remove, or just
not send, any Reply-Message when the user fails authentication. Where
would I put this attr_filter to delete it, and what does the attr_filer
look like? I imagine this is documented, but I can't find the relevant
bits.
Use attr_filter to delete it.
You don't have to put it - it's already there in Post-Auth-Type REJECT.
Just remove Reply-Message from attrs.access_reject file.
Or, update the rules to add the Reply-Message in the post-auth section.
Use unlang in Post-Auth-Type REJECT.
update reply {
Reply-Message := whatever
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing Reply-Message on failed authentication, was Re: NLTM_AUTH(PAP) and MS-CHAP2 together?
On Tue, 10 Mar 2009, t...@kalik.net wrote:
I'm just getting back to this problem. I'm lost as to how to implement
either of these solutions. To summarise, I want to either remove, or just
not send, any Reply-Message when the user fails authentication. Where
would I put this attr_filter to delete it, and what does the attr_filer
look like? I imagine this is documented, but I can't find the relevant
bits.
Use attr_filter to delete it.
You don't have to put it - it's already there in Post-Auth-Type REJECT.
Just remove Reply-Message from attrs.access_reject file.
Or, update the rules to add the Reply-Message in the post-auth section.
Use unlang in Post-Auth-Type REJECT.
update reply {
Reply-Message := whatever
}
That was easy ;)
Thanks,
-Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply message to rejected users
Alex M wrote: i'm trying to display reply message to users whos passwords get rejected. so I setup the group and added my test user there. then i went to groupreply table and added reply message there. Now when I do my testing is password is ok the message is displayed BUT if password is incorrect the message is not displayed. Read raddb/sites-available/default. Look in the post-auth section for the Post-Auth-Type Reject subsection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reply message to rejected users
well i found that option in my config file but I cant find documentation in man :( How do I implement with MySQL? Thanks for help! On Fri, Jan 30, 2009 at 5:05 AM, Alan DeKok al...@deployingradius.comwrote: Alex M wrote: i'm trying to display reply message to users whos passwords get rejected. so I setup the group and added my test user there. then i went to groupreply table and added reply message there. Now when I do my testing is password is ok the message is displayed BUT if password is incorrect the message is not displayed. Read raddb/sites-available/default. Look in the post-auth section for the Post-Auth-Type Reject subsection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reply message to rejected users
i'm trying to display reply message to users whos passwords get rejected. so I setup the group and added my test user there. then i went to groupreply table and added reply message there. Now when I do my testing is password is ok the message is displayed BUT if password is incorrect the message is not displayed. I'm sure i did something wrong. So the question is: how do i display message to the user if their username gets rejected by any reason? thanks for help! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing Reply-Message for expired Password
Tim White wrote: I'm using Freeradius, with MySQL (rlm_sql) as the backend for Coova Chilli (and it's JSON interface). Unfortunately, the reply-message when the password is expired, contains a newline at the end, which breaks chilli (due to the newline being in the JSON object, which breaks). Then Chillispot is buggy. People have been putting newlines in Reply-Message for well over a decade. I've now got the sources, and it appears to be in the src that the problem is. freeradius-1.1.7/src/main/auth.c:84 Password Has Expired\r\n, Yes. Looking the the 2.0.2 sources, I see the same problem, except I understand seeing as this code is in rlm_expiration now, that it can be overridden in config files. freeradius-2.0.2/src/modules/rlm_expiration/rlm_expiration.c:54 NULL, Password Has Expired\r\n}, Yes. So from my quick look, is there no way to fix this in 1.1.7 without recompiling freeradius? If not, anyone know of a package for 2.0.2 for Ubuntu? Download 2.0.2, and follow the instructions on the Wiki for building a Debian package. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Changing Reply-Message for expired Password
$ freeradius -v freeradius: FreeRADIUS Version 1.1.6, for host i486-pc-linux-gnu, built on Jun 8 2007 at 17:17:46 I'm using Freeradius, with MySQL (rlm_sql) as the backend for Coova Chilli (and it's JSON interface). Unfortunately, the reply-message when the password is expired, contains a newline at the end, which breaks chilli (due to the newline being in the JSON object, which breaks). Short of recompiling Freeradius with the newlines removed, is there an easier way to change this reply-message? It appears in some versions of FreeRadius there is a rlm_expiration module or something which allows it to be changed? If I have to upgrade manually (using Ubuntu Server), then I'm sure I can do that. But I'd rather not upgrade yet (seeing as everything other than that is work, so I don't want to break other stuff for a minor breakage). Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Changing Reply-Message for expired Password
Phil Mayers wrote: Tim White wrote: $ freeradius -v freeradius: FreeRADIUS Version 1.1.6, for host i486-pc-linux-gnu, built on Jun 8 2007 at 17:17:46 I'm using Freeradius, with MySQL (rlm_sql) as the backend for Coova Chilli (and it's JSON interface). Unfortunately, the reply-message when the password is expired, contains a newline at the end, which breaks chilli (due to the newline being in the JSON object, which breaks). Short of recompiling Freeradius with the newlines removed, is there an easier way to change this reply-message? Assuming you mean a radius Reply-Message attribute in the Access-Accept or Access-Reject, there are two possibilities: Yes 1. You have put the newline in yourself, either in files (/etc/raddb/users) or the SQL/LDAP/other lookup 2. It's in their accidentally I'm going to take a wild guess and say you forgot the closing in /etc/raddb/users i.e. you have: DEFAULT Reply-Message = there will be a newline here Firstly, I'm not using files at all, and as it's the Reply-Message for when a password has expired, it's not going to be in /etc/raddb/users anyway, as when a password has expired, the server replaces all the Reply-Message attributes with it's own. In this case, the one with the newline. As advised in the docs and on this mailing list daily, run the server in debug mode (-X) to see where the newline is actually coming from. I did that. I've now got the sources, and it appears to be in the src that the problem is. freeradius-1.1.7/src/main/auth.c:84 Password Has Expired\r\n, Looking the the 2.0.2 sources, I see the same problem, except I understand seeing as this code is in rlm_expiration now, that it can be overridden in config files. freeradius-2.0.2/src/modules/rlm_expiration/rlm_expiration.c:54 NULL, Password Has Expired\r\n}, So from my quick look, is there no way to fix this in 1.1.7 without recompiling freeradius? If not, anyone know of a package for 2.0.2 for Ubuntu? Thanks Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_chap Reply-Message on Access-Reject
Hello everyone, Can anyone tell me if it is possible to send the Reply-Message attribute in the Access-Reject packet when using rlm_chap? Or any other rlm_* by the way... Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
