On 6 Oct 2011, at 04:27, gary wrote:
Hi
One more question.
How about if user name is wrong? eg: send reply message user name not found
sql
if(notfound){
update reply {
Reply-Message = 'User-name not found'
}
}
Arran Cudbard-Bell
a.cudba...@freeradius.org
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello,
How to add Reply-Message in freeradius? anyone advise me pls.
For example : I would like to send Your username or password is wrong
message to NAS if the someone to access to my freeradius via wrong password
from that NAS
On Wed, Oct 5, 2011 at 9:23 PM, Dagia Dorjsuren dagmi...@yahoo.com wrote:
Hello,
How to add Reply-Message in freeradius? anyone advise me pls.
post-auth {
...
update reply {
Reply-Message = Your message here\r\n
}
...
}
For example : I would like to send Your username or password
: Reply-Message in freeradius
On 5 Oct 2011, at 16:23, Dagia Dorjsuren wrote:
Hello, How to add Reply-Message in freeradius? anyone advise me pls.For
example : I would like to send Your username or password is wrong message to
NAS if the someone to access to my freeradius via wrong password
You've posted the RADIUS messages. But what about src/dst IP? Have
you verified that the packets you *think* are the same actually match
for src/dst IP, and src/dst port? If not, why not go check? That will
show you WHY the packets are different: they're not the same packet!
You're
sbcsgjm...@snkmail.com wrote:
Using freeradius 1.1.3.
Upgrade.
Im trying to get freeradius to return a helpful
reply-message in access-rejects to the NAS but the reply-message seems
to get stripped from the access-reject packet. Ive configured the
reply-message as below in
On 05/14/2011 11:28 AM, sbcsgjm...@snkmail.com wrote:
Hi,
Using freeradius 1.1.3. Im trying to get freeradius to return a helpful
reply-message in access-rejects to the NAS but the reply-message seems
to get stripped from the access-reject packet. Ive configured the
reply-message as below in
On 14/05/2011 12:55, Alan DeKok aland-at-deployingradius.com
|freeradius-mailinglist| wrote:
sbcsgjm...@snkmail.com wrote:
Using freeradius 1.1.3.
Upgrade.
My apologies, I made a mistake, the version is 2.1.7
Im trying to get freeradius to return a helpful
reply-message in
What is between the radius server and NAS? Something must be, because
it's modifying the packet. Do you have an intermediate proxy server?
No, but the packets are being sent over an OpenVPN tunnel.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sbcsgjm...@snkmail.com wrote:
Im confused, the Packet identifier is the same. Can you explain how you
know this. Thanks, much appreciated!
The packets are different. Go read them.
Find out what is modifying the packet *after* the RADIUS server sends
the reply. Look at the *rest* of the
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
You can put an entry for the Reply
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type: text/plain; charset=us-ascii
You can put an entry for the Reply-Message attribute in the radreply
table.
For example, if you
Neville,您好!
so, security reasons. 8-(
1,modify the sql_escape_func(char *out, size_t outlen, const char
*in) in rlm_sql.c, but there is bad idea.
2, expand rlm_sql and db driver,support parameter binding , and skip
convert parameter.
=== 2010-01-18
You can put an entry for the Reply-Message attribute in the radreply table.
For example, if you want to send the message Hi Bob to user bob, you would
add this entry to radreply:
usernameattribute op value
bob Reply-Message
--
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type
--
Message: 2
Date: Sat, 16 Jan 2010 13:15:58 -0800
From: Tim Sylvester tim.sylves...@networkradius.com
Subject: RE: Reply-Message
To: 'FreeRadius users mailing list'
freeradius-users@lists.freeradius.org
Message-ID: 4b522c99.101abc0a.1166.9...@mx.google.com
Content-Type
Hi,
Alternatively the 'smart server-end' could just send an Access-Accept :)
ah..but then things get logged and you have a session...and most likely then
a local address at the visited site and you'll then have to
use a VPN etc. with the nefarious way, all traffic is transmitted via the
home
#
# Make Reply-Message RFC3748 2.6.5 compliant
#
*
#
# Make Reply-Message RFC3579 2.6.5 compliant
#
Odd that the mime encoded GPG sig validates ok, but the in-line one
doesn't... I wonder what's going on there.
signature.asc
Description: OpenPGP digital
Arran Cudbard-Bell wrote:
This isn't actually mandated anywhere though is it? This is just random
vendor specific behaviour ?
IIRC, there's a suggestion to do this, but the actual cut-off number
is vendor-specific.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi,
IIRC, there's a suggestion to do this, but the actual cut-off number
is vendor-specific.
..and i guess this cutoff is reported as an EAP failure and therefore kit
configured to block/deny access will mean the eg the 3rd tunnel creation
will be the last for some time
alan
-
List
On 8/6/09 11:27, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
IIRC, there's a suggestion to do this, but the actual cut-off number
is vendor-specific.
..and i guess this cutoff is reported as an EAP failure and therefore kit
configured to block/deny access will mean the eg the 3rd tunnel creation
a.l.m.bu...@lboro.ac.uk wrote:
could reply messages be used with some smart server-end code to provide
a data communication channel? ie user A has code that attempts to use EAP
with special username coding...the remote server is designed
to throw responses in EAP messages...which the modified
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply attribute comes in the Accept or Reject message, which will be carrying the EAP Success or Fail. EAP Success/Faillike a Reject doesn't carry attributes, so a Reply would have to be turned
hi,
ome useful information...however, people will be far more
likely to read your email if you send it as plain text
rather than HTML.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 8/6/09 13:26, David Mitton wrote:
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply
attribute comes in the Accept or Reject message, which will be carrying
the EAP Success or Fail. EAP Success/Fail like a Reject doesn't carry
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
On 8/6/09 13:26, David Mitton wrote:
A couple comments on this thread...
The problem with including Reply message text in EAP is that the Reply
attribute comes in the Accept or Reject message, which will be carrying
the EAP Success or
Hi,
on the client can then extract? this could tunnel traffic through
an 802.1X restricted network? in fact, is the inner EAP traffic limited
at all? once the authentication outer layer is started i should be
able to just keep throwing data back/forward through that tube?
Wait are you
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
Alexander Clouter wrote:
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use
Hi,
on the client can then extract? this could tunnel traffic through
an 802.1X restricted network? in fact, is the inner EAP traffic limited
at all? once the authentication outer layer is started i should be
able to just keep throwing data back/forward through that tube?
Wait are
Alexander Clouter wrote:
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
Alexander Clouter wrote:
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
... hmm that's pretty standard behaviour. We don't require FQUNs
either. Though I have no idea why you still insist on using user files
for policies. There's this new fangled policy language you know :P
We *demand* it as otherwise
Arran Cudbard-Bell wrote:
There's no reason why you couldn't tunnel IPv4 so long as the packets
had a valid EAP header prepended to them. Send your EAP start, send the
identity response... then you can pretty much do whatever you like, so
long as it has a valid EAP header and the end server is
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
There's no reason why you couldn't tunnel IPv4 so long as the packets
had a valid EAP header prepended to them. Send your EAP start, send the
identity response... then you can pretty much do whatever you like, so
long as it has a valid EAP
Hi,
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm game. Meanwhile I keep meaning to glue 'exec' and 'fortune'
together and
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm game. Meanwhile I keep meaning to glue 'exec'
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my RADIUS packets then
I'm
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alexander Clouter wrote:
a.l.m.bu...@lboro.ac.uk wrote:
No one in London wants to go to Sussex though and from my logs it does
not look like anyway from Sussex wants to go to London either ;)
If someone gives me something better to use in my
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few supplicants
display the contents to the user, and the server doesn't support their
generation.
Arran
--
Arran Cudbard-Bell
Hi,
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the
supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few
supplicants display the contents to the user, and the server doesn't support
their generation.
which is why rather useful
2009/6/5 a.l.m.bu...@lboro.ac.uk:
Hi,
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the
supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few
supplicants display the contents to the user, and the server doesn't support
their
Hi,
Does file attrs.access_reject has to with you are talking about?
in a way - that file lists the attributes that are allowed
to pass after an access reject - you still have to set eg the Reply-Message
*or some other VSA* to let the remote site know
alan
-
List info/subscribe/unsubscribe?
On 5/6/09 15:21, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Hi Sergio,
Is possible that Reply-message can be seen from laptops running the supplicant?
Not with EAP no. You can use EAP-Notification packets, but very few supplicants
display the contents to the user, and the server doesn't support
2009/6/5 a.l.m.bu...@lboro.ac.uk:
Hi,
Does file attrs.access_reject has to with you are talking about?
in a way - that file lists the attributes that are allowed
to pass after an access reject - you still have to set eg the Reply-Message
*or some other VSA* to let the remote site know
On 5/6/09 16:18, Sergio Belkin wrote:
2009/6/5a.l.m.bu...@lboro.ac.uk:
Hi,
Does file attrs.access_reject has to with you are talking about?
in a way - that file lists the attributes that are allowed
to pass after an access reject - you still have to set eg the Reply-Message
*or some other
Hi,
No they can't. Reply-Messages are prohibited in packets containing
EAP-Message attributes.
really? well...I guess if you believe in RFC 3579 and hope that everyone
read section 2.2 of that - invalid packet discussion then you'd
hope so... however, I see tonnes of packets proxied through
On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No they can't. Reply-Messages are prohibited in packets containing EAP-Message
attributes.
really? well...I guess if you believe in RFC 3579 and hope that everyone
read section 2.2 of that - invalid packet discussion then you'd
hope so...
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
On 5/6/09 19:10, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
No they can't. Reply-Messages are prohibited in packets containing
EAP-Message attributes.
really? well...I guess if you believe in RFC 3579 and hope that everyone
read section 2.2 of
Alex M wrote:
i'm trying to display reply message to users whos passwords get rejected.
so I setup the group and added my test user there. then i went to
groupreply table and added reply message there.
Now when I do my testing is password is ok the message is displayed BUT
if password is
well i found that option in my config file but I cant find documentation in
man :(
How do I implement with MySQL?
Thanks for help!
On Fri, Jan 30, 2009 at 5:05 AM, Alan DeKok al...@deployingradius.comwrote:
Alex M wrote:
i'm trying to display reply message to users whos passwords get
Lucas Aimaretto [EMAIL PROTECTED] wrote:
I'm willing to send a reply-message when access-reject occurs. The thing
is that, if authorize_check_query fails ( ie: user is not found) , then
authorize_reply_query is not called. So, I do not know how to send back
a Reply-Message Attribute if
I'm willing to send a reply-message when access-reject occurs. The
thing is that, if authorize_check_query fails ( ie: user is
not found) then authorize_reply_query is not called. So, I do not
know how to send back a Reply-Message Attribute if
authorize_reply_query is not executed.
Hi,
since no one answers I'll answer myself :-)
in my setup I use TTLS-PAP to authenticate users (which works perfectly).
Now I have setup a test user to enable some keepalive checking for the
server. I use MySQL as backend and have put a Reply-Message attribute in
radreply. It gets picked
Hi!
i would like to have a notification when a client is proxied to a
realm. is it possible ?
It sure is. You can use the pre-proxy {} section and do whatever you like
there. For example an exec instance that executes a script of your choice. It
all depends on what you mean with
On Thu, 7 Oct 2004, EROS wrote:
Hi,
How changing the Reply-Message when a user reach the max-monthly-limit
of his account ?
now I have this message from the radius :
Sending Access-Reject of id 22 to 192.168.200.101:1482
Reply-Message = Your maximum monthly usage time has been
I was told to change as little as possible in the configuration files and PEAP/MSCHAPv2 using Microsoft's 802.1x client with and LDAP backend DB would work fine. This is not the case and I would appreciate any suggestions on what to modify to make this work. The only portion of
Christopher Price [EMAIL PROTECTED] wrote:
I was told to change as little as possible in the configuration files
and PEAP/MSCHAPv2 using Microsoft's 802.1x client with and LDAP backend
DB would work fine. This is not the case and I would appreciate any
suggestions on what to modify to make
Here is the full output after I uncommented the tls and peap sections in eap.conf. I still seems to have a problem
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
Christopher Price [EMAIL PROTECTED] wrote:
Here is the full output after I uncommented the tls and peap sections in
eap.conf. I still seems to have a problem
Ok
Module: Loaded eap
eap: default_eap_type = md5
So... are you using PEAP or not?
rlm_eap: processing type md5
PS [EMAIL PROTECTED] wrote:
It's not essential for me, but my intention was to supply some
customized message (based on language etc) on accounting-stop saying
something like 1.35$ usd has been deducted from your account,
current ballance is 2.59$ usd. Thank you, hope to see you very soon
:))
PS [EMAIL PROTECTED] wrote:
It's not essential for me, but my intention was to supply some
customized message (based on language etc) on accounting-stop saying
something like 1.35$ usd has been deducted from your account,
current ballance is 2.59$ usd. Thank you, hope to see you very soon
:))
61 matches
Mail list logo