MS-CHAP-V2 with no retry

John.Hayward at wheaton.edu John.Hayward at wheaton.edu
Tue Apr 26 15:35:03 CEST 2011


Hi Alan,

I just wanted to make sure you know what we are currently running -

we started with 2.1.x after patches were put in place related to 
retry/no-retry - this version works properly for no-retry but does not 
operate correctly with retry allowed.

We next applied the patch from Phil which corrected the challenge - this 
by itself still did not work properly with retry.

We next tweaked that patch to send a request rather than failure if retry 
was being allowed and this worked as it should have.

Phil indicated that he had reworked the mschap module to deal with 
password changes and as part of that change resulted in the correct 
behavior if his original patch to fix the challenge was left unmodified.
I personally think his approach is better but more complex because it also 
has code related to password change (a feature we would not use).

I think it would be highly desirable to get a version of the patch which 
works correctly with retry enabled since it significantly reduces support 
calls in environments which have required password changes.

>From your perspective which approach to getting retry enabled working do 
you recommend for 2.11 so we can be testing the same version:

o my tweaks of Phil's single "challenge" patch
o Phil's challenge and password change patches
o a simpler two patch solution which does not do passwords - the challenge 
patch and a rearrangement patch which detects responses to retry 
challenges?

Is there any thing I can do to help get this accomplished?
johnh...

On Tue, 26 Apr 2011, Alan DeKok wrote:

> Date: Tue, 26 Apr 2011 07:57:09
> From: Alan DeKok <aland at deployingradius.com>
> Reply-To: FreeRadius users mailing list
>     <freeradius-users at lists.freeradius.org>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: MS-CHAP-V2 with no retry
> 
> John.Hayward at wheaton.edu wrote:
>> Just a brief update.
>>
>> In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as
>> expected with this retry patch - user is presented with a password
>> dialog box and the connection is not aborted - user only needs to enter
>> the correct password to be connected and no "contact your network
>> administrator" or other messages occur.
>>
>> Our support people are thrilled.
>
>  If it's that useful, it should go into 2.1.11.
>
>  I'd prefer to have everyone possible test this, so that we're sure it
> doesn't break anything.
>
>  Remember: FreeRADIUS depends on all of you for it's success.  The more
> you give, the better it gets.
>
>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list