MS-CHAP-V2 with no retry
Phil Mayers
p.mayers at imperial.ac.uk
Thu Apr 21 00:53:42 CEST 2011
On 04/20/2011 11:14 PM, John.Hayward at wheaton.edu wrote:
> I have been able to do some testing with the adjustments for MS-CHAP-V2
> related to error and retires.
>
> There are two items I observed with testing:
>
> 1) If I sent a HUP signal to the server it appears to re-read the
> configuration files but for some reason does not re-read the mschap
> module - so changing this module while testing seemed to require a
> restart on the server. Is that the expected behavior?
rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't
be terribly hard to write one - the module is fairly stateless. It's
probably best to just restart the server though.
> 2) If retry=yes then on Windows-7 on failure a notification is given if
> they click they are presented with a message indicating their username
> or password are incorrect and given an opportunity to re-enter only a
> password. If they enter the correct password the authentication fails
> and they have to re-connect to get a duologue box where they can enter
> both the username and password. I have not traced down to determine why
> the client thinks there is a failure (eg need to see if FRS thinks it is
> a failure or not). This I believe is not what should be happening.
I think this is probably because the EAP-MSCHAP modules needs to parse
and store the new challenge in the error message. If it doesn't, the
server and client will disagree on the challenge/response value and auth
will fail
This patch implements the required behaviour (as part of the "support
password change" code):
https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9
More information about the Freeradius-Users
mailing list