> How can I add default Reply-Message to the situation where
Access-Reject was sent because of incorrect password?
> I looked at the user's file but it seams that I have no way to
determine if access-accept or reject was sent... it only has example how
to send the message to a reject > group.
If you're using LDAP, it already creates a Module-Failure-Message
request attribute upon failure. Also, I submitted bug 398 which Alan
incorporated into CVS head to provide the same functionality for MS-CHAP
(I assume this will be in FR 1.1.4). You could execute a Perl script in
a reject section of post_auth that looks for this request attribute and,
if found, set the Reply-Message reply attribute. If you're using a
different authentication method, it may be possible to change the code
to accomplish what you want. As someone else pointed out, it's not a
good idea to tell someone they entered the wrong password as it makes
brute-force password attacks easier (because you're telling them the
userid is valid). I believe ntlm_auth gives a generic (invalid userid
or password) response to a bad password. If the response you see is too
specific, you may want to obfuscate it..
Here's an example of what you would put in radiusd.conf (this assumes
you have a sub in your perl script called post_auth_reject):
modules {
.
.
.
perl set_reject_message {
module = /usr/local/etc/raddb/set_reject_message.pl
func_post_auth = post_auth_reject
}
.
.
.
}
.
.
.
post-auth {
Post-Auth-Type REJECT {
set_reject_message
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
