Windows 7 prompting several times
amorris at cardiffmet.ac.uk
Tue Apr 3 17:46:03 CEST 2012
Apologies for keeping this going on the freeradius list when it is nothing to do with it, but has anyone seen this behaviour on anything but a Windows supplicant? I'm trying to debug whether it's a supplicant or NAS issue.
As Alan has said, this is not a freeradius issue. I see the same symptoms on another network that we have, which uses Microsoft IAS. The only common ground is the OS and the Cisco authenticator (three different models: catalyst 2950, WLC4400 and WLC5500). Microsoft have analysed trace logs I have given them and pointed the finger at the NAS, but as I only see this on Windows supplicants I'm not so sure.
If there is a more appropriate list to move this to then I will happily oblige to avoid the noise on the FR list.
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 03 April 2012 16:28
To: FreeRadius users mailing list
Subject: Re: Windows 7 prompting several times
> Now, if the user enters wrong credentials, windows prompts for
> credentials again with a message stating that the user credentials are
> invalid. The problem is that if the user now types the correct
> credential, the access will still be denied. After the third retry,
> windows gives up on asking and the user must click on the wireless
> network icon, to start the login process again.
See the ChangeLog for 2.1.11:
* Make retry and error message configurable in mschap.
* Allow EAP-MSCHAPv2 to send error message to client. This
allows some clients to prompt the user for a new password.
See raddb/eap.conf, mschapv2 section, "send_error".
> As Alan said, this seemed like windows was caching the bad credentials.
> But, the logs states a different message. After the first "access
> denied", each retry comes with a "rlm_eap_mschapv2:Unexpected response received".
> Im not saying there's a freeradius fault, it can be windows fault or
> just windows not following the RFC(wouldnt be the first time).
I already said who to blame: That failure message is being sent by the Windows machine. FreeRADIUS just logs it.
Don't blame the messenger.
> Aparently windows is sending a EAP-Response/MSCHAP_Failure where it
> should send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous
> sent EAP-Request/Failure, acording to RFC 'Appendix A - Examples')
> Should send a EAP-Response/MSCHAP_Response since it is actually
> retrying the authentication.
> One possibility is that the new "send_error" option is missleading windows.
> According to RFC 'Appendix A - Examples', a "retry" flag in order to
> tell windows to try again.
FreeRADIUS sets the retry flag.
> Since my knowledge of the freeradius souce code is very basic, i
> couldnt figure out exactly if this is happening.
You're wasting your time by looking at FreeRADIUS.
The Windows box is prompting multiple times for the password. This is because the *WINDOWS BOX* is prompting multiple times for the password.
It has nothing to do with FreeRADIUS. No amount of poking FreeRADIUS will fix it.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
More information about the Freeradius-Users