MS-CHAP-V2 with no retry

Alan DeKok aland at deployingradius.com
Sat Mar 5 07:23:54 CET 2011


John.Hayward at wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
>    a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
>    a response sent back to the client but there was no message in the
>    response.

  It's more complicated.  The server would send EAP-Failure, and nothing
else.

> 2) The patch given resolves that problem - giving the message
>    of the rlm_mschap.c module of E=691 R=1

  On closer inspection, the patch doesn't resolve anything.  It still
sends an EAP-Failure.  It should instead send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code.  After the
client has ACKed that, it should *then* send EAP-Failure.

  i.e. fixing it is likely a fair bit more work.

> 3) It is possible to configure in radius.conf the message on failure by:

  No.  That sends back an MS-CHAP-Error.  The code has to package that
MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
*additional* request/response round trip, before finally sending
EAP-Failure.

  Alan DeKok.



More information about the Freeradius-Users mailing list