MS-CHAP-V2 with no retry

Phil Mayers p.mayers at imperial.ac.uk
Mon Apr 11 15:45:13 CEST 2011


On 11/04/11 11:22, Phil Mayers wrote:
> On 10/04/11 15:41, James J J Hooper wrote:
>
>>
>> This C=<random> needs to be saved and eventually make it's way in to
>> data->challenge so that the line lower down:
>> memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
>
> It's actually a bit more complex; the new challenge is being generated
> inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
> needs to know it, so that it can add it to the fake request which it
> then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
>
> This would also get us part of the way there to password change via
> mschap (Samba currently lacks the specific API call to do this, with the
> values available in an MSCHAP CPW packet, but it might be possible to
> compile a C helper which does it...)
>

The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry 
work for me.

It needs a bit of work, specifically there should be a:

  num_retries

...parameter, and the EAP module should keep track of retry attempt 
counts, and stop when either:

  try_number > num_retries

  or

  R=0 in the MS-CHAP-Error attribute

Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure 
it should go into 2.1.11 - there's probably not enough testing time.

It works for a Windows XP SP3 client here, as well as with a jury-rigged 
eapol_test/wpa_cli combo.

I'll spin up an SSID and give it a try with real clients later today.

Of note: this gets us nearer to MS-CHAP change-password functionality; 
I've looked into this a couple of times recently and Samba has almost 
all the bits required to make it work... However, that would require 
some infrastructure for the server to override the MS-CHAP error code, 
currently hard-coded at 691 - 648 is "password expired" and would need 
to be set, either by parsing the output of ntlm_auth (for those that use 
it) or from some SQL/database attribute (for those using 
Cleartext/NT-Password)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: retry.patch.gz
Type: application/x-gzip
Size: 2409 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110411/0331852a/attachment.bin>


More information about the Freeradius-Users mailing list