Ok I got the idea how to initiate the the script on reject event, but what should go in post_auth_reject.pl? I have absolutely no experience with Perl. I probably would be able to figure out something but not sure how. I assume I would listen to something like if username exist, if username exist and password incorrect. Still I have no idea how to do this :-(
_____ From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Garber, Neal Sent: Friday, December 01, 2006 10:40 AM To: FreeRadius users mailing list Subject: RE: DEFAULT access-reject Reply-Message > How can I add default Reply-Message to the situation where Access-Reject was sent because of incorrect password? > I looked at the user's file but it seams that I have no way to determine if access-accept or reject was sent. it only has example how to send the message to a reject > group. If you're using LDAP, it already creates a Module-Failure-Message request attribute upon failure. Also, I submitted bug 398 which Alan incorporated into CVS head to provide the same functionality for MS-CHAP (I assume this will be in FR 1.1.4). You could execute a Perl script in a reject section of post_auth that looks for this request attribute and, if found, set the Reply-Message reply attribute. If you're using a different authentication method, it may be possible to change the code to accomplish what you want. As someone else pointed out, it's not a good idea to tell someone they entered the wrong password as it makes brute-force password attacks easier (because you're telling them the userid is valid). I believe ntlm_auth gives a generic (invalid userid or password) response to a bad password. If the response you see is too specific, you may want to obfuscate it.. Here's an example of what you would put in radiusd.conf (this assumes you have a sub in your perl script called post_auth_reject): modules { . . . perl set_reject_message { module = /usr/local/etc/raddb/set_reject_message.pl func_post_auth = post_auth_reject } . . . } . . . post-auth { Post-Auth-Type REJECT { set_reject_message } }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html