Bluehost.com Web Hosting $6.95

RE: DEFAULT access-reject Reply-Message

This is a discussion on RE: DEFAULT access-reject Reply-Message within the FreeRADIUS Users forums, part of the Networking and Network Related category; This is a multi-part message in MIME format. --===============1396201157== Content-class: urn:content-classes:message Content-Type: multipart/alternative; ...


Go Back   Usenet Forums > Networking and Network Related > FreeRADIUS Users

Reload this Page RE: DEFAULT access-reject Reply-Message

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 12-01-2006
Garber, Neal
 
Posts: n/a
Default RE: DEFAULT access-reject Reply-Message
This is a multi-part message in MIME format.

--===============1396201157==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
boundary="----_=_NextPart_001_01C7155E.E8FCC9AC"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C7155E.E8FCC9AC
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

> How can I add default Reply-Message to the situation where
Access-Reject was sent because of incorrect password?

> I looked at the user's file but it seams that I have no way to
determine if access-accept or reject was sent... it only has example how
to send the message to a reject > group.=20

=20

If you're using LDAP, it already creates a Module-Failure-Message
request attribute upon failure. Also, I submitted bug 398 which Alan
incorporated into CVS head to provide the same functionality for MS-CHAP
(I assume this will be in FR 1.1.4). You could execute a Perl script in
a reject section of post_auth that looks for this request attribute and,
if found, set the Reply-Message reply attribute. If you're using a
different authentication method, it may be possible to change the code
to accomplish what you want. As someone else pointed out, it's not a
good idea to tell someone they entered the wrong password as it makes
brute-force password attacks easier (because you're telling them the
userid is valid). I believe ntlm_auth gives a generic (invalid userid
or password) response to a bad password. If the response you see is too
specific, you may want to obfuscate it..

=20

Here's an example of what you would put in radiusd.conf (this assumes
you have a sub in your perl script called post_auth_reject):

=20

modules {=20

..

..

..

perl set_reject_message {

module =3D /usr/local/etc/raddb/set_reject_message.pl

func_post_auth =3D post_auth_reject

}

..

..

..

}

..

..

..

post-auth {

Post-Auth-Type REJECT {

set_reject_message

}

}


------_=_NextPart_001_01C7155E.E8FCC9AC
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&gt; </span></font><font size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>How can =
I add
default Reply-Message to the situation where Access-Reject was sent =
because of
incorrect password?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&gt; </span></font><font size=3D2
face=3DArial><span style=3D'font-size:10.0pt;font-family:Arial'>I looked =
at the
user’s file but it seams that I have no way to determine if =
access-accept
or reject was sent… it only has example how to send the message to =
a
reject <font color=3Dnavy><span style=3D'color:navy'>&gt; =
</span></font>group. <font
color=3Dnavy><span =
style=3D'color:navy'><o:p></o:p></span></font></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>If you’re using LDAP, it =
already creates
a Module-Failure-Message request attribute upon failure.&nbsp; Also, I
submitted bug 398 which Alan incorporated into CVS head to provide the =
same
functionality for MS-CHAP (I assume this will be in FR 1.1.4).&nbsp; You =
could
execute a Perl script in a reject section of post_auth that looks for =
this
request attribute and, if found, set the Reply-Message reply =
attribute.&nbsp;
If you’re using a different authentication method, it may be =
possible to
change the code to accomplish what you want.&nbsp; As someone else =
pointed out,
it’s not a good idea to tell someone they entered the wrong =
password as
it makes brute-force password attacks easier (because you’re =
telling them
the userid is valid).&nbsp; I believe ntlm_auth gives a generic (invalid =
userid
or password) response to a bad password.&nbsp; If the response you see =
is too
specific, you may want to obfuscate it..<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Here’s an example of what you =
would
put in radiusd.conf (this assumes you have a sub in your perl script =
called
post_auth_reject):<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>modules { =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp; perl =
set_reject_message {<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;modul e
=3D =
/usr/local/etc/raddb/set_reject_message.pl<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;func_pos t_auth
=3D post_auth_reject<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp; =
}<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>}<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>post-auth =
{<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;=
&nbsp;
Post-Auth-Type REJECT {<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;
set_reject_message<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>&nbsp;&nbsp;&nbsp;&nbsp;& nbsp;&nbsp;=
&nbsp;
}<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>}<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C7155E.E8FCC9AC--

--===============1396201157==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--===============1396201157==--
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 06:21 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0