I have been working away with Freeradius 3+ & REST module with the default PEAP/EAP-TTLS sites. I am however unable to send error messages to the target client at any stage of AAA.
I have tried manually setting
update reply { Reply-Message := "test" }
at the post-auth section of the inner/outer tunnels, both to no avail.
I have read also that Reply-Message is not allowed to be accompanied by a EAP-Message so I am very confused on how I actually message the user error codes ect. Has anyone figured out how to send messages to the client on PEAP/EAP-TTLS
Other Details: AP - Unifi, Clients - Iphone; Linux XUbuntu; Windows 10
Kind Regards
The simple answer is you can't.
A long long time ago, in a job far far away, we had HP ProCurve switches. When these switches received a Reply-Message, they'd transform the contents into an EAP-Notification packet, which'd be sent after the final EAP-Success.
With Linux supplicants this caused the authentication process to restart. With other operating systems, they simply ignored it (OSX would actually log the contents but not display it).
The wpa_supplicant author Jouni Malinen would not fix the issue as he quite rightly claimed the switches and our RADIUS servers were not compliant with RFC3579.
The only way you could possibly send the user a message would be in an EAP-Notification packet crafted by FreeRADIUS, which we don't currently support, and even if we did, it'd probably be ignored by most supplicants and may cause weird behaviour in others.
There are policies in the default virtual server that actually remove any Reply-Message attributes present to prevent users breaking RFC3579, but if you want to experiment, set the Reply-Message in the outer server and remove this line.