Windows 7 prompting several times
aland at deployingradius.com
Tue Apr 3 17:27:59 CEST 2012
> Now, if the user enters wrong credentials, windows prompts for credentials
> again with a message stating that the user credentials are invalid. The
> problem is that if the user now types the correct credential, the access
> will still be denied. After the third retry, windows gives up on asking and
> the user must click on the wireless network icon, to start the login process
See the ChangeLog for 2.1.11:
* Make retry and error message configurable in mschap.
* Allow EAP-MSCHAPv2 to send error message to client. This
allows some clients to prompt the user for a new password.
See raddb/eap.conf, mschapv2 section, "send_error".
> As Alan said, this seemed like windows was caching the bad credentials.
> But, the logs states a different message. After the first "access denied",
> each retry comes with a "rlm_eap_mschapv2:Unexpected response received".
> Im not saying there's a freeradius fault, it can be windows fault or just
> windows not following the RFC(wouldnt be the first time).
I already said who to blame: That failure message is being sent by
the Windows machine. FreeRADIUS just logs it.
Don't blame the messenger.
> Aparently windows is sending a EAP-Response/MSCHAP_Failure where it should
> send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous sent
> EAP-Request/Failure, acording to RFC 'Appendix A - Examples')
> Should send a EAP-Response/MSCHAP_Response since it is actually retrying the
> One possibility is that the new "send_error" option is missleading windows.
> According to RFC 'Appendix A - Examples', a "retry" flag in order to tell
> windows to try again.
FreeRADIUS sets the retry flag.
> Since my knowledge of the freeradius souce code is very basic, i couldnt
> figure out exactly if this is happening.
You're wasting your time by looking at FreeRADIUS.
The Windows box is prompting multiple times for the password. This is
because the *WINDOWS BOX* is prompting multiple times for the password.
It has nothing to do with FreeRADIUS. No amount of poking FreeRADIUS
will fix it.
More information about the Freeradius-Users