Need info about Reply-Message configuration in Access-Reject

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Need info about Reply-Message configuration in Access-Reject

Vishwanath Srikant Pattanshetti

Hi all

 

Following is my setup:

I have a FreeRADIUS server (1.0.4) on a solaris machine.

My clients and users information are stored in Oracle database.

 

If an Access-request is rejected, it can be for two reasons:

  1. Wrong password.
  2. User does not exist in RADIUS server database.

I want to send appropriate messages in Access-Reject packets, to the client.

Can some one tell me how can I configure a Reply-Message for an Access-Reject packet?

I tried putting Reply-Message along with other reply items for a user, but this configures Reply-Message

only for Access-Accept message.

 

Also when the user does not exist in the database, is there a way I can add appropriate message using

Reply-Item to the Access-Reject packet? Or is it not possible with current FreeRADIUS?

 

In addition to the above I need to setup an external RADIUS server to which I need to proxy Access-Requests.

If such an external RADIUS server down, when an Access-Request is proxied to it, then my primary RADIUS server

Would need to generate a Access-Reject packet(after retries), is there a way I can specify a Reply-Item in any such  

Access-Reject packet?? Or is it not possible with current implementation of FreeRADIUS.

 

Any quick help would be of great help

 

Thanks in advance.

Regards.

-Vishwa.

 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
| Threaded
Open this post in threaded view
|

Need info about Reply-Message configuration in Access-Reject

Vishwanath Srikant Pattanshetti

Hi all

 

Following is my setup:

I have a FreeRADIUS server (1.0.4) on a solaris machine.

My clients and users information are stored in Oracle database.

 

If an Access-request is rejected, it can be for two reasons:

  1. Wrong password.
  2. User does not exist in RADIUS server database.

I want to send appropriate messages in Access-Reject packets, to the client.

Can some one tell me how can I configure a Reply-Message for an Access-Reject packet?

I tried putting Reply-Message along with other reply items for a user, but this configures Reply-Message

only for Access-Accept message.

 

Also when the user does not exist in the database, is there a way I can add appropriate message using

Reply-Item to the Access-Reject packet? Or is it not possible with current FreeRADIUS?

 

In addition to the above I need to setup an external RADIUS server to which I need to proxy Access-Requests.

If such an external RADIUS server down, when an Access-Request is proxied to it, then my primary RADIUS server

Would need to generate a Access-Reject packet(after retries), is there a way I can specify a Reply-Item in any such  

Access-Reject packet?? Or is it not possible with current implementation of FreeRADIUS.

 

Any quick help would be of great help

 

Thanks in advance.

Regards.

-Vishwa.

 


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
| Threaded
Open this post in threaded view
|

Re: Need info about Reply-Message configuration in Access-Reject

Joe Maimon


Vishwanath Srikant Pattanshetti wrote:

> Hi all
>
>  
>
> Following is my setup:
>
> I have a FreeRADIUS server (1.0.4) on a solaris machine.
>
> My clients and users information are stored in Oracle database.
>
>  
>
> If an Access-request is rejected, it can be for two reasons:
>
>    1. Wrong password.
>    2. User does not exist in RADIUS server database.
>
> I want to send appropriate messages in Access-Reject packets, to the
> client.
>
> Can some one tell me how can I configure a Reply-Message for an
> Access-Reject packet?


If in your users file you set the reply message, it will be returned
even if the user did not authenticate correctly.


>
> I tried putting Reply-Message along with other reply items for a user,
> but this configures Reply-Message
>
> only for Access-Accept message.
>
>

Use fall-through, or a DEFAULT at the bottom of the users file.

Dont know offhand how you will be able to tell the differences in why
the reject happened. Not sure you would want to -- it could be helpfull
for those attempting to brute force your system.

Please consider this FAQ entry before you spend more time and effort on
Reply-Message attribute

http://www.freeradius.org/faq/#5.1

>
> Also when the user does not exist in the database, is there a way I can
> add appropriate message using
>
> Reply-Item to the Access-Reject packet? Or is it not possible with
> current FreeRADIUS?
>


Modify the sql string to return either the users attributes or the
reply-message attribute.

>  
>
> In addition to the above I need to setup an external RADIUS server to
> which I need to proxy Access-Requests.
 >
> If such an external RADIUS server down, when an Access-Request is
> proxied to it, then my primary RADIUS server
>
> Would need to generate a Access-Reject packet(after retries), is there a
> way I can specify a Reply-Item in any such  

Yes, you can match on the realm.

The question becomes how do you ensure the reply-messages arent sent
when the login is successfull.

>
> Access-Reject packet?? Or is it not possible with current implementation
> of FreeRADIUS.
>
>  
>
> Any quick help would be of great help
>
>  

Your probably wasting your time with the Reply-Message attribute, its
mostly usefull for debugging

>
> Thanks in advance.
>
> Regards.
>
> -Vishwa.
>
>  
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html