Grase Hotspot

Meaningful Reply-Message for Access-Reject

Meaningful Reply-Message for Access-Reject

See the indepth post at http://tim.purewhite.id.au/2011/04/coova-chilli-freeradius-reply-message/

Basically, FreeRadius sql and sql_counter modules don’t give the most meaningful Reply-Message (if any). Here are snippits of code that bring more meaningful messages.

/etc/freeradius/sites-available/default
authorize {
preprocess
chap
mschap
suffix
eap {
ok = return
}
sql{
notfound = 1
reject = 2
}
if(notfound){
update reply {
Reply-Message := "Login Failed. Please check your Username and Password"
}
reject
}
if(reject){
update reply {
Reply-Message := "Login Failed. Please check your Username and Password"
}
reject
}
expiration{
userlock = 1
}
if(userlock){
update reply {
Reply-Message := "Your account has expired, %{User-Name}"
}
reject
}
logintime
noresetBytecounter{
reject = 1
}
if(reject){
update reply {
Reply-Message := "You have reached your bandwidth limit"
}
reject
}
noresetcounter{
reject = 1
}
if(reject){
update reply {
Reply-Message := "You have reached your time limit"
}
reject
}
pap
}
post-auth {
sql
exec
Post-Auth-Type REJECT {
update reply { # Fallback error message
Reply-Message = "Login Failed. Please check your username and password"
}
attr_filter.access_reject
}
}

(Where testing for notfound and reject, you can give more specific error messages if you wish, however this can lead to abuse of the system if for example it tells them the username is valid but the password isn’t.)

Edit this page on GitHub