[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    RE: Can RADIUS indicate a standardised reason for access rejection?
From:       Brian Turnbow via Freeradius-Users <freeradius-users () lists ! freeradius ! org>
Date:       2022-08-22 10:10:27
Message-ID: f72572a1819d41ecbf7fe54a23867c1e () twt ! it
[Download RAW message or body]

Hi,
 
> > Reason for asking: Most of our clients are macOS devices. When user
> changes the password server-side, next EAP-TTLS + PAP authentication
> attempts fails.
> > macOS displays very cryptic message about a connection problem (no
> prompt to enter the password).
> > Ideal behaviour would be client knowing the reason for authentication
> failure so it can react accordingly (prompt user for new set of credentials).

In a similar situation we took a different approach.
On authentication failure we override the response and send them into a dedicated vrf \
with a walled garden web page that says something like Your session was not \
authenticated properly. Please check your login credentials and try again. Works well \
for most users and cut down on tickets

Brian

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


[prev in list] [next in list] [prev in thread] [next in thread]