[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Radiusplugin-users] Freeradius Reply-Message
|
From: |
Ralf Lübben |
|
Subject: |
Re: [Radiusplugin-users] Freeradius Reply-Message |
|
Date: |
Sun, 21 Mar 2010 18:25:54 +0100 |
|
User-agent: |
KMail/1.12.2 (Linux/2.6.31-20-generic; KDE/4.3.2; i686; ; ) |
Hi,
I uploaded a new version to the website, which should fix the problem.
I didn't know about the AUTH_FAILED message, I would be great if it could be
set in the client config file, this is the only way the plugin can pass
information to the server.
Ralf
Am Sonntag, 21. März 2010 14:24:02 schrieb William Cooley:
> Sorry if this has already been discussed but openvpn 2.1_rc20 added a
> new option that relates to this.
>
> "Added the ability for the server to provide a custom reason string
> when an AUTH_FAILED message is returned to the client. This
> string can be set by the server-side managment interface and read
> by the client-side management interface."
>
> My guess is that this won't be as easy to implement because it uses the
> management interface on the server side.
>
> On 3/21/2010 7:35 AM, Ralf Lübben wrote:
> > The reply message should be there, e.g. it get:
> >
> > Sun Mar 21 11:27:02 2010 RADIUS-PLUGIN: BACKGROUND AUTH:
> > Reply-Message:Your account has been disabled.
> >
> > in the OpenVPN server logfile. The plugin sends the message to stderr and
> > OpenVPN forwards it to the logfile.
> >
> > For forwarding it to the client there must be adequate attribute that is
> > forwarded by server to the client.
> > To my knowledge such an attribute doesn't exist.
> >
> > Am Sonntag, 21. März 2010 12:29:40 schrieb Dequan Randolph:
> >> Nice. What testing I was able to do shows this as a fix and works fine.
> >>
> >> In reference to the newly added reply-message feature, is it possible to
> >> forward these replies through to the openvpn log (preferably both client
> >> and server)?
> >>
> >> My log file shows:
> >>
> >> Sun Mar 21 11:25:10 2010 Error: RADIUS-PLUGIN: BACKGROUND AUTH:
> >> Auth failed!
> >>
> >> But no reply-message follows. Am I being dumb and missing something
> >> obvious?
> >>
> >> Thanks.
> >>
> >> -----Original Message-----
> >> From:
> >> address@hidden
> >> [mailto:address@hidden
> >>.o rg] On Behalf Of Ralf Lübben
> >> Sent: 21 March 2010 11:11
> >> To: address@hidden
> >> Subject: Re: [Radiusplugin-users] Freeradius Reply-Message
> >>
> >> Hi,
> >>
> >> the plugin freezes if you set "useauthcontrolfile=false" in the plugin
> >> configuration file. If set to true the plugin won't freeze. I will
> >> update it as
> >> soon as possible.
> >>
> >> Ralf
> >>
> >> Am Samstag, 20. März 2010 20:20:06 schrieb Dequan Randolph:
> >>> Thanks for this Ralf.
> >>>
> >>> However, after some testing, this new version seems to break my openvpn
> >>> service. I would love to provide further details, but I can't provide
> >>
> >> any
> >>
> >>> solid evidence as to the source of the problem -- I just can't find
> >>> any!
> >>>
> >>> I have a user who is part of a group with a radgroupcheck "Auth-Type :=
> >>> Reject", and a radgroupreply with "Reply-Message = Disabled by
> >>> administrator". I can receive a successful rejection one time, but
> >>
> >> another
> >>
> >>> time the openvpn service seems to freeze before the access-reject is
> >>
> >> sent
> >>
> >>> (I assume before it even hits freeradius). I would then try to
> >>> restart
> >>
> >> the
> >>
> >>> service, but it would fail to load as it says the openvpn management
> >>
> >> port
> >>
> >>> is currently in use (the program has hung I assume), so I am forced
> >>> to kill the process manually then restart the service.
> >>>
> >>> I have tried rolling back to beta6, and have not been able to replicate
> >>> this issue on it -- so I have to conclude there is something wrong in
> >>> beta7 causing the freeze (never had a single problem before).
> >>>
> >>> I wish I could be more helpful than just saying, "it's broken for me"!
> >>>
> >>> -----Original Message-----
> >>> From:
> >>
> >> address@hidden
> >>
> >> [mailto:address@hidden
> >>.o r
> >>
> >>> g ] On Behalf Of Ralf Lübben
> >>> Sent: 20 March 2010 11:49
> >>> To: address@hidden
> >>> Subject: Re: [Radiusplugin-users] Freeradius Reply-Message
> >>>
> >>> Hi,
> >>>
> >>> I added it in the new version at
> >>>
> >>> http://www.nongnu.org/radiusplugin/
> >>>
> >>> Ralf
> >>>
> >>> Am Mittwoch, 10. Februar 2010 19:10:38 schrieb Ralf Lübben:
> >>>> Hi,
> >>>>
> >>>> yes I will put it on my ToDo list and add it the next beta release.
> >>>>
> >>>> Maybe it will take one or two weeks.
> >>>>
> >>>> Regards,
> >>>> Ralf
> >>>>
> >>>> Am Dienstag, 9. Februar 2010 23:56:59 schrieb Dequan Randolph:
> >>>>> Assuming -- as you said -- it would be easy to implement, would it
> >>
> >> be
> >>
> >>>>> possible to implement this in the one of the next releases?
> >>>>>
> >>>>> Being able to pass a custom Reply-Message would be extremely useful
> >>
> >> for
> >>
> >>>>> me (and hopefully other people too).
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>> Dequan.
> >>
> >> -----------------------------------------------------------------------
> >>
> >>>>> -
> >>>>>
> >>>>> Ralf Lübben wrote:
> >>>>>> Hi,
> >>>>>>
> >>>>>> so far this feature is not implemented, only few radius attributes
> >>>>>> are evaluated, which can be mapped to OpenVPN attributes.
> >>>>>>
> >>>>>> But it would be easy to implement it.
> >>>>>>
> >>>>>> Regards
> >>>>>> Ralf
> >>>>>>
> >>>>>> Am Mittwoch, 3. Februar 2010 20:35:46 schrieb Dequan Randolph:
> >>>>>>> Im not sure if this relates directly to this plugin, but is it
> >>>>>>> possible for the plugin to forward a radgroupreply
> >>
> >> "Reply-Message"
> >>
> >>>>>>> created by Freeradius following a radgroupcheck?
> >>>>>>>
> >>>>>>> Ideally i'd like to create a more accurate return of information
> >>>>>>> during a failed login process. For example, if the user has been
> >>>>>>> disabled by an administrator, a reply-message could be forwarded
> >>
> >> to
> >>
> >>>>>>> OpenVPN
> >>>>>>> (specifically the log file) indicating a more detailed
> >>
> >> explanation
> >>
> >>>>>>> of why he/she is rejected, i.e. "Your account has been disabled".
> >>>>>>>
> >>>>>>> As it stands OpenVPN can output to a log, but the only
> >>
> >> information
> >>
> >>>>>>> concerning a failed login attempt is indicated by:
> >>>>>>>
> >>>>>>> AUTH: Received AUTH_FAILED control message
> >>>>>>>
> >>>>>>> Would it be possible to return more detailed information via a
> >>>>>>> Reply-Message packet?
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>>
> >>>>>>> Dequan.
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Radiusplugin-users mailing list
> >>>>>> address@hidden
> >>>>>> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >>>>
> >>>> _______________________________________________
> >>>> Radiusplugin-users mailing list
> >>>> address@hidden
> >>>> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >>>
> >>> _______________________________________________
> >>> Radiusplugin-users mailing list
> >>> address@hidden
> >>> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Radiusplugin-users mailing list
> >>> address@hidden
> >>> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >>
> >> _______________________________________________
> >> Radiusplugin-users mailing list
> >> address@hidden
> >> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >>
> >>
> >>
> >> _______________________________________________
> >> Radiusplugin-users mailing list
> >> address@hidden
> >> http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
> >
> > _______________________________________________
> > Radiusplugin-users mailing list
> > address@hidden
> > http://lists.nongnu.org/mailman/listinfo/radiusplugin-users
>