Re: [Radiusplugin-users] Freeradius Reply-Message

[William Cooley]

Sorry if this has already been discussed but openvpn 2.1_rc20 added a 
new option that relates to this.

"Added the ability for the server to provide a custom reason string
  when an AUTH_FAILED message is returned to the client.  This
  string can be set by the server-side managment interface and read
  by the client-side management interface."

My guess is that this won't be as easy to implement because it uses the 
management interface on the server side.


On 3/21/2010 7:35 AM, Ralf Lübben wrote:
> The reply message should be there, e.g. it get:
>
> Sun Mar 21 11:27:02 2010 RADIUS-PLUGIN: BACKGROUND AUTH: Reply-Message:Your
> account has been disabled.
>
> in the OpenVPN server logfile. The plugin sends the message to stderr and
> OpenVPN forwards it to the logfile.
>
> For forwarding it to the client there must be adequate attribute that is
> forwarded by server to the client.
> To my knowledge such an attribute doesn't exist.
>
>
>
> Am Sonntag, 21. März 2010 12:29:40 schrieb Dequan Randolph:
>    
> > Nice. What testing I was able to do shows this as a fix and works fine.
> >
> > In reference to the newly added reply-message feature, is it possible to
> > forward these replies through to the openvpn log (preferably both client
> >   and server)?
> >
> > My log file shows:
> >
> >         Sun Mar 21 11:25:10 2010 Error: RADIUS-PLUGIN: BACKGROUND  AUTH:
> > Auth failed!
> >
> > But no reply-message follows. Am I being dumb and missing something
> >   obvious?
> >
> > Thanks.
> >
> > -----Original Message-----
> > From: address@hidden
> > [mailto:address@hidden
> > rg] On Behalf Of Ralf Lübben
> > Sent: 21 March 2010 11:11
> > To: address@hidden
> > Subject: Re: [Radiusplugin-users] Freeradius Reply-Message
> >
> > Hi,
> >
> > the plugin freezes if you set "useauthcontrolfile=false" in the plugin
> > configuration file.  If set to true the plugin won't freeze. I will update
> > it as
> > soon as possible.
> >
> > Ralf
> >
> > Am Samstag, 20. März 2010 20:20:06 schrieb Dequan Randolph:
> >      
> > > Thanks for this Ralf.
> > >
> > > However, after some testing, this new version seems to break my openvpn
> > > service. I would love to provide further details, but I can't provide
> > >        
> > any
> >
> >      
> > > solid evidence as to the source of the problem -- I just can't find any!
> > >
> > > I have a user who is part of a group with a radgroupcheck "Auth-Type :=
> > > Reject", and a radgroupreply with "Reply-Message = Disabled by
> > > administrator". I can receive a successful rejection one time, but
> > >        
> > another
> >
> >      
> > > time the openvpn service seems to freeze before the access-reject is
> > >        
> > sent
> >
> >      
> > >   (I assume before it even hits freeradius). I would then try to restart
> > >        
> > the
> >
> >      
> > >   service, but it would fail to load as it says the openvpn management
> > >        
> > port
> >
> >      
> > >   is currently in use (the program has hung I assume), so I am forced to
> > >   kill the process manually then restart the service.
> > >
> > > I have tried rolling back to beta6, and have not been able to replicate
> > >   this issue on it -- so I have to conclude there is something wrong in
> > >   beta7 causing the freeze (never had a single problem before).
> > >
> > > I wish I could be more helpful than just saying, "it's broken for me"!
> > >
> > > -----Original Message-----
> > > From:
> > >        
> > address@hidden
> >
> > [mailto:address@hidden
> > r
> >
> >      
> > > g ] On Behalf Of Ralf Lübben
> > > Sent: 20 March 2010 11:49
> > > To: address@hidden
> > > Subject: Re: [Radiusplugin-users] Freeradius Reply-Message
> > >
> > > Hi,
> > >
> > > I added it in the new version at
> > >
> > > http://www.nongnu.org/radiusplugin/
> > >
> > > Ralf
> > >
> > > Am Mittwoch, 10. Februar 2010 19:10:38 schrieb Ralf Lübben:
> > >        
> > > > Hi,
> > > >
> > > > yes I will put it on my ToDo list and add it the next beta release.
> > > >
> > > > Maybe it will take one or two weeks.
> > > >
> > > > Regards,
> > > > Ralf
> > > >
> > > > Am Dienstag, 9. Februar 2010 23:56:59 schrieb Dequan Randolph:
> > > >          
> > > > > Assuming -- as you said -- it would be easy to implement, would it
> > > > >            
> > be
> >
> >      
> > > > > possible to implement this in the one of the next releases?
> > > > >
> > > > > Being able to pass a custom Reply-Message would be extremely useful
> > > > >            
> > for
> >
> >      
> > > > > me (and hopefully other people too).
> > > > >
> > > > > Regards,
> > > > >
> > > > > Dequan.
> > > > >            
> > -----------------------------------------------------------------------
> >
> >      
> > > > > -
> > > > >
> > > > > Ralf Lübben wrote:
> > > > >            
> > > > > > Hi,
> > > > > >
> > > > > > so far this feature is not implemented, only few radius attributes
> > > > > > are evaluated, which can be mapped to OpenVPN attributes.
> > > > > >
> > > > > > But it would be easy to implement it.
> > > > > >
> > > > > > Regards
> > > > > > Ralf
> > > > > >
> > > > > > Am Mittwoch, 3. Februar 2010 20:35:46 schrieb Dequan Randolph:
> > > > > >              
> > > > > > > Im not sure if this relates directly to this plugin, but is it
> > > > > > > possible for the plugin to forward a radgroupreply
> > > > > > >                
> > "Reply-Message"
> >
> >      
> > > > > > > created by Freeradius following a radgroupcheck?
> > > > > > >
> > > > > > > Ideally i'd like to create a more accurate return of information
> > > > > > > during a failed login process. For example, if the user has been
> > > > > > > disabled by an administrator, a reply-message could be forwarded
> > > > > > >                
> > to
> >
> >      
> > > > > > > OpenVPN
> > > > > > > (specifically the log file) indicating a more detailed
> > > > > > >                
> > explanation
> >
> >      
> > > > > > > of why he/she is rejected, i.e. "Your account has been disabled".
> > > > > > >
> > > > > > > As it stands OpenVPN can output to a log, but the only
> > > > > > >                
> > information
> >
> >      
> > > > > > > concerning a failed login attempt is indicated by:
> > > > > > >
> > > > > > >      AUTH: Received AUTH_FAILED control message
> > > > > > >
> > > > > > > Would it be possible to return more detailed information via a
> > > > > > > Reply-Message packet?
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Dequan.
> > > > > > >                
> > > > > > _______________________________________________
> > > > > > Radiusplugin-users mailing list
> > > > > > address@hidden
> > > > > > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> > > > > >              
> > > > _______________________________________________
> > > > Radiusplugin-users mailing list
> > > > address@hidden
> > > > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> > > >          
> > > _______________________________________________
> > > Radiusplugin-users mailing list
> > > address@hidden
> > > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> > >
> > >
> > >
> > > _______________________________________________
> > > Radiusplugin-users mailing list
> > > address@hidden
> > > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> > >        
> > _______________________________________________
> > Radiusplugin-users mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >
> >
> >
> > _______________________________________________
> > Radiusplugin-users mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >
> >      
>
> _______________________________________________
> Radiusplugin-users mailing list
> address@hidden
> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
>