Grase Hotspot

Meaningful Reply-Message for Access-Reject

Meaningful Reply-Message for Access-Reject

See the indepth post at http://tim.purewhite.id.au/2011/04/coova-chilli-freeradius-reply-message/

Basically, FreeRadius sql and sql_counter modules don’t give the most meaningful Reply-Message (if any). Here are snippits of code that bring more meaningful messages.

/etc/freeradius/sites-available/default
authorize {
    preprocess
    chap
    mschap
    suffix
    eap {
        ok = return
    }
    sql{
        notfound = 1
        reject = 2
    }
    if(notfound){
        update reply {
            Reply-Message := "Login Failed. Please check your Username and Password"
        }
        reject
    }


    if(reject){
        update reply {
            Reply-Message := "Login Failed. Please check your Username and Password"
        }
        reject
    }   


    expiration{
        userlock = 1
    }
    if(userlock){
            update reply {
                    Reply-Message := "Your account has expired, %{User-Name}"
            }
            reject
    }


    logintime


    noresetBytecounter{
        reject = 1
    }
    if(reject){
            update reply {
                    Reply-Message := "You have reached your bandwidth limit"
            }
            reject
    }


    noresetcounter{
        reject = 1
    }
    if(reject){
            update reply {
                    Reply-Message := "You have reached your time limit"
            }
            reject
    }


    pap
}


post-auth {
    sql
    exec
    Post-Auth-Type REJECT {
        update reply { # Fallback error message
            Reply-Message = "Login Failed. Please check your username and password"
        }
        attr_filter.access_reject
    }
}

(Where testing for notfound and reject, you can give more specific error messages if you wish, however this can lead to abuse of the system if for example it tells them the username is valid but the password isn’t.)

Edit this page on GitHub

Next

About