MS-CHAP-V2 with no retry
p.mayers at imperial.ac.uk
Mon Apr 11 15:45:13 CEST 2011
On 11/04/11 11:22, Phil Mayers wrote:
> On 10/04/11 15:41, James J J Hooper wrote:
>> This C=<random> needs to be saved and eventually make it's way in to
>> data->challenge so that the line lower down:
>> memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
> It's actually a bit more complex; the new challenge is being generated
> inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
> needs to know it, so that it can add it to the fake request which it
> then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
> This would also get us part of the way there to password change via
> mschap (Samba currently lacks the specific API call to do this, with the
> values available in an MSCHAP CPW packet, but it might be possible to
> compile a C helper which does it...)
The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry
work for me.
It needs a bit of work, specifically there should be a:
...parameter, and the EAP module should keep track of retry attempt
counts, and stop when either:
try_number > num_retries
R=0 in the MS-CHAP-Error attribute
Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure
it should go into 2.1.11 - there's probably not enough testing time.
It works for a Windows XP SP3 client here, as well as with a jury-rigged
I'll spin up an SSID and give it a try with real clients later today.
Of note: this gets us nearer to MS-CHAP change-password functionality;
I've looked into this a couple of times recently and Samba has almost
all the bits required to make it work... However, that would require
some infrastructure for the server to override the MS-CHAP error code,
currently hard-coded at 691 - 648 is "password expired" and would need
to be set, either by parsing the output of ntlm_auth (for those that use
it) or from some SQL/database attribute (for those using
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2409 bytes
Desc: not available
More information about the Freeradius-Users