Windows 7 prompting several times

Morris, Andi amorris at cardiffmet.ac.uk
Wed Apr 11 16:52:15 CEST 2012 

Just to update anyone else with this issue, we have found the cause of the problem on our network was indeed the Cisco config.  

On our wireless controller we used the command below and the re-request no longer appears.  I'm still playing with the timeouts for the catalyst switches for the correct timeout for these, but at least we know definitively where the problem lay.

config advanced eap identity-request-timeout 15

Cheers,
Andi

-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Morris, Andi
Sent: 03 April 2012 16:46
To: FreeRadius users mailing list
Subject: RE: Windows 7 prompting several times

Apologies for keeping this going on the freeradius list when it is nothing to do with it, but has anyone seen this behaviour on anything but a Windows supplicant?  I'm trying to debug whether it's a supplicant or NAS issue.

As Alan has said, this is not a freeradius issue.  I see the same symptoms on another network that we have, which uses Microsoft IAS.  The only common ground is the OS and the Cisco authenticator (three different models: catalyst 2950, WLC4400 and WLC5500).  Microsoft have analysed trace logs I have given them and pointed the finger at the NAS, but as I only see this on Windows supplicants I'm not so sure.

If there is a more appropriate list to move this to then I will happily oblige to avoid the noise on the FR list.

Cheers,
Andi

-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 03 April 2012 16:28
To: FreeRadius users mailing list
Subject: Re: Windows 7 prompting several times

jaimeventura wrote:
> Now, if the user enters wrong credentials, windows prompts for 
> credentials again with a message stating that the user credentials are 
> invalid. The problem is that if the user now types the correct 
> credential, the access will still be denied. After the third retry, 
> windows gives up on asking and the user must click on the wireless 
> network icon, to start the login process again.

  See the ChangeLog for 2.1.11:

        * Make retry and error message configurable in mschap.
          See raddb/modules/mschap
        * Allow EAP-MSCHAPv2 to send error message to client.  This
          change
          allows some clients to prompt the user for a new password.
          See raddb/eap.conf, mschapv2 section, "send_error".


> As Alan said, this seemed like windows was caching the bad credentials.
> But, the logs states a different message. After the first "access 
> denied", each retry comes with a "rlm_eap_mschapv2:Unexpected response received".
> Im not saying there's a freeradius fault, it can be windows fault or 
> just windows not following the RFC(wouldnt be the first time).

  I already said who to blame:  That failure message is being sent by the Windows machine.  FreeRADIUS just logs it.

  Don't blame the messenger.

> Aparently windows is sending a EAP-Response/MSCHAP_Failure where it 
> should send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous 
> sent EAP-Request/Failure, acording to RFC 'Appendix A - Examples')

  Yes.

> Or
> Should send a EAP-Response/MSCHAP_Response since it is actually 
> retrying the authentication.

  Possibly.

> One possibility is that the new "send_error" option is missleading windows.
> According to  RFC 'Appendix A - Examples', a "retry" flag in order to 
> tell windows to try again.

  FreeRADIUS sets the retry flag.

> Since my knowledge of the freeradius souce code is very basic, i 
> couldnt figure out exactly if this is happening.

  You're wasting your time by looking at FreeRADIUS.

  The Windows box is prompting multiple times for the password.  This is because the *WINDOWS BOX* is prompting multiple times for the password.

  It has nothing to do with FreeRADIUS.  No amount of poking FreeRADIUS will fix it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________

From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list