Password Policy - Expired Password - mschap

Theparanoidone Theparanoidone theparanoidone at yahoo.com
Thu Aug 12 17:32:50 CEST 2010 

Greetings Alan~

> 
> Possible solutions:
> ---------------------------
> Solution 1)  Edit the opendir.c module to simple detect error status -14161 and 
>
> -14162... and simply set the status to 0 instead. 


>>  Absolutely not.  Expired passwords are *not* OK.

> Solution 2) Try and rig up something in Post-Auth-Type REJECT {...}  to 
>override 
>
> the failed login and force the response to Auth-Accept.   Perhaps, some pseudo 

> conf code that says if reject-message == -14162 || reject-message == -14161 ... 
>
> then "ok update auth-type := accept

  No.  That's just as bad.

  The real reason is that very few people do password changes via
MS-CHAP.  Most people do it via Active Directory, LDAP, web pages, etc.



We are more than happy to perform the password change via LDAP(or apple's 
opendirectory)... however, the client computer is unable to connect to the 
network if they receive a failed authentication in the first step of 802.1x port 
security.  In otherwords, the switch does not unlock the port until you 
successfully authenticate, and therefore it appears the client login screen 
doesn't know how to handle this case and is unable to display a password update 
screen or communicate on the network.  Am I missing some configuration to allow 
LDAP to takeover?


I agree that expired passwords are bad, but in the case where the client 
computer is completely blocked out due to a routine password expiration... 
perhaps a configuration option to allow expired passwords / and password resets 
is acceptable should a sysadmin choose to override this setting simply for 
radius.  After all, there is only one password that will allow a user to unlock 
there account to update their old password... i.e. the user must present their 
old password one more time (which means technically the old password is still 
valid/good for one last task:  updating the user password).

Understanding the security risks... is there an example of 
setting Post-Auth-Type REJECT {...}  to override the reject force the response 
to Auth-Accept?  I've tried a number of combinations in the default virtual 
terminal (as another post said it is not processed in the inner tunnel), but I 
have been unable to get it to work.  Any examples?

Thank you!

More information about the Freeradius-Users mailing list