Windows 7 prompting several times

Alan DeKok aland at deployingradius.com
Tue Apr 3 17:27:59 CEST 2012 

jaimeventura wrote:
> Now, if the user enters wrong credentials, windows prompts for credentials
> again with a message stating that the user credentials are invalid. The
> problem is that if the user now types the correct credential, the access
> will still be denied. After the third retry, windows gives up on asking and
> the user must click on the wireless network icon, to start the login process
> again.

  See the ChangeLog for 2.1.11:

	* Make retry and error message configurable in mschap.
	  See raddb/modules/mschap
	* Allow EAP-MSCHAPv2 to send error message to client.  This
          change
	  allows some clients to prompt the user for a new password.
	  See raddb/eap.conf, mschapv2 section, "send_error".


> As Alan said, this seemed like windows was caching the bad credentials.
> But, the logs states a different message. After the first "access denied",
> each retry comes with a "rlm_eap_mschapv2:Unexpected response received".
> Im not saying there's a freeradius fault, it can be windows fault or just
> windows not following the RFC(wouldnt be the first time).

  I already said who to blame:  That failure message is being sent by
the Windows machine.  FreeRADIUS just logs it.

  Don't blame the messenger.

> Aparently windows is sending a EAP-Response/MSCHAP_Failure where it should
> send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous sent
> EAP-Request/Failure, acording to RFC 'Appendix A - Examples') 

  Yes.

> Or  
> Should send a EAP-Response/MSCHAP_Response since it is actually retrying the
> authentication.

  Possibly.

> One possibility is that the new "send_error" option is missleading windows.
> According to  RFC 'Appendix A - Examples', a "retry" flag in order to tell
> windows to try again.

  FreeRADIUS sets the retry flag.

> Since my knowledge of the freeradius souce code is very basic, i couldnt
> figure out exactly if this is happening.

  You're wasting your time by looking at FreeRADIUS.

  The Windows box is prompting multiple times for the password.  This is
because the *WINDOWS BOX* is prompting multiple times for the password.

  It has nothing to do with FreeRADIUS.  No amount of poking FreeRADIUS
will fix it.

  Alan DeKok.

More information about the Freeradius-Users mailing list