On Mon, 8 Jul 2002, Alan DeKok wrote:
> Thomas Jalsovsky <[EMAIL PROTECTED]> wrote:
> > Cisco IVR uses return VSAs in access-reject messages. By the RFC
> > RADIUS access-reject message have to has only one attribute, therefore you
> > have to look into the code and hack the server to send access-reject
> > packets to the Cisco NAS (not compatible with RFC).
>
> No, the RFC's (and FreeRADIUS) allow Vendor-Specific attributes in
> Access-Reject packets.
Sorry, I'm confusing.
radiusd.c
/*
* Authentication REJECT's can have only
* EAP-Message, Message-Authenticator
* Reply-Message and Proxy-State.
*
* We delete everything other than these.
* Proxy-State is added below, just before the
* reply is sent.
*/
auth.c
/*
* Error. radius_exec_program() returns -1 on
* fork/exec errors, or >0 if the exec'ed program
* had a non-zero exit status.
*/
if (user_msg == NULL)
user_msg = "\r\nAccess denied (external check failed).";
request->reply->code = PW_AUTHENTICATION_REJECT;
pairfree(&request->reply->vps);
tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
request->reply->vps = tmp;
rad_authlog("Login incorrect (external check failed)",
request, 0);
So, if my perl script returns non-zero value (I reject the user), the
radius server sends back PW_AUTHENTICATION_REJECT with only one attribut:
Reply-Message. Where are the mentioned VSAs?
Regards,
Thomas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
