MS-CHAP-V2 with no retry

John.Hayward at wheaton.edu John.Hayward at wheaton.edu
Thu Apr 21 00:14:11 CEST 2011 

I have been able to do some testing with the adjustments for MS-CHAP-V2 
related to error and retires.

There are two items I observed with testing:

1) If I sent a HUP signal to the server it appears to re-read the 
configuration files but for some reason does not re-read the mschap module 
- so changing this module while testing seemed to require a restart on the 
server.  Is that the expected behavior?

2) If retry=yes then on Windows-7 on failure a notification is given if 
they click they are presented with a message indicating their username or 
password are incorrect and given an opportunity to re-enter only a 
password.  If they enter the correct password the authentication fails and 
they have to re-connect to get a duologue box where they can enter both 
the username and password.  I have not traced down to determine why the 
client thinks there is a failure (eg need to see if FRS thinks it is a 
failure or not).  This I believe is not what should be happening.

johnh...


  On Wed, 13 Apr 2011, John.Hayward at wheaton.edu wrote:

> Date: Wed, 13 Apr 2011 16:19:26
> From: John.Hayward at wheaton.edu
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: MS-CHAP-V2 with no retry
> 
> First - thanks to the free radius group for all the work on this over the 
> weekend.
>
> There have been some fixes and extensions to my original patches and I saw a 
> commit on Friday before some fixes and extensions were in place.
>
> Can someone point me to exactly what I need to "git" to get the current 
> version of freeradius with the patches so I can do some testing at our site?
>
> TIA.
> johnh...
>
> On Mon, 11 Apr 2011, Phil Mayers wrote:
>
>> Date: Mon, 11 Apr 2011 08:45:13
>> From: Phil Mayers <p.mayers at imperial.ac.uk>
>> Reply-To: FreeRadius users mailing list
>>     <freeradius-users at lists.freeradius.org>
>> To: freeradius-users at lists.freeradius.org
>> Subject: Re: MS-CHAP-V2 with no retry
>> 
>> On 11/04/11 11:22, Phil Mayers wrote:
>>> On 10/04/11 15:41, James J J Hooper wrote:
>>> 
>>>> 
>>>> This C=<random> needs to be saved and eventually make it's way in to
>>>> data->challenge so that the line lower down:
>>>> memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
>>> 
>>> It's actually a bit more complex; the new challenge is being generated
>>> inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
>>> needs to know it, so that it can add it to the fake request which it
>>> then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
>>> 
>>> This would also get us part of the way there to password change via
>>> mschap (Samba currently lacks the specific API call to do this, with the
>>> values available in an MSCHAP CPW packet, but it might be possible to
>>> compile a C helper which does it...)
>>> 
>> 
>> The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work 
>> for me.
>> 
>> It needs a bit of work, specifically there should be a:
>> 
>> num_retries
>> 
>> ...parameter, and the EAP module should keep track of retry attempt counts, 
>> and stop when either:
>> 
>> try_number > num_retries
>> 
>> or
>> 
>> R=0 in the MS-CHAP-Error attribute
>> 
>> Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it 
>> should go into 2.1.11 - there's probably not enough testing time.
>> 
>> It works for a Windows XP SP3 client here, as well as with a jury-rigged 
>> eapol_test/wpa_cli combo.
>> 
>> I'll spin up an SSID and give it a try with real clients later today.
>> 
>> Of note: this gets us nearer to MS-CHAP change-password functionality; I've 
>> looked into this a couple of times recently and Samba has almost all the 
>> bits required to make it work... However, that would require some 
>> infrastructure for the server to override the MS-CHAP error code, currently 
>> hard-coded at 691 - 648 is "password expired" and would need to be set, 
>> either by parsing the output of ntlm_auth (for those that use it) or from 
>> some SQL/database attribute (for those using Cleartext/NT-Password)
>> 
>

More information about the Freeradius-Users mailing list