Password-Retry attribute

Morris, Andi amorris at cardiffmet.ac.uk
Thu Feb 16 10:35:27 CET 2012


Hi all,
I'm trying to configure my freeradius server to prompt the user to retype their credentials if they mistype the username or password so that they can be authenticated via dot1x.

I've checked my virtual server post-auth and found:
post-auth {
        exec
        packetfence
        Post-Auth-Type REJECT {
                attr_filter.access_reject
        }
}

So then looked inside attr_filter.access_reject and added the Password-Retry attribute as below:

DEFAULT
        EAP-Message =* ANY,
        State =* ANY,
        Message-Authenticator =* ANY,
        Reply-Message =* ANY,
        MS-CHAP-Error =* ANY,
        Proxy-State =* ANY,
        Password-Retry :=3

However when I force my test Windows 7 client to fail using a bad password I'm not reprompted to enter a new password at all.

When running a debug I see the Password-Retry attribute being sent in the Access-Reject section.

The following results are the debug output:

.
rad_recv: Access-Request packet from host 10.1.1.21 port 1645, id=169, length=308
        User-Name = "sm18818"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-09-E8-98-A0-02"
        Calling-Station-Id = "00-24-54-42-86-04"
        EAP-Message = 0x0208006b19001703010060f87a45874abccfef74c9674f4dcc93d9f804ecc7db489bfa2205e4a5c2f691543d9de8c31c0c84fb2da83121280190827555f2e2cb16784fabf62a775b6caca028e7a56405a8c7e64d0e3855a75615e2275ce7a40ace04929dbbf623562650c3
        Message-Authenticator = 0xd7a475900d0efb6a752d8c59da3f6dc6
        Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314"
        NAS-Port-Type = Ethernet
        NAS-Port = 50002
        NAS-Port-Id = "FastEthernet0/2"
        State = 0xd8956e82de9d77cd0f3a27e6f3c50521
        NAS-IP-Address = 10.1.1.21
server packetfence {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sm18818", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 8 length 107
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x020800421a0208003d31375d05e236695687a5bd102f646c02450000000000000000ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad00736d3138383138
server packetfence {
[peap] Setting User-Name to sm18818
Sending tunneled request
        EAP-Message = 0x020800421a0208003d31375d05e236695687a5bd102f646c02450000000000000000ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad00736d3138383138
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "sm18818"
        State = 0x7642bbe8764aa17935847ca964c2e70f
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-09-E8-98-A0-02"
        Calling-Station-Id = "00-24-54-42-86-04"
        Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314"
        NAS-Port-Type = Ethernet
        NAS-Port = 50002
        NAS-Port-Id = "FastEthernet0/2"
        NAS-IP-Address = 10.1.1.21
server packetfence-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sm18818", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: sm18818
[mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password
[mschap]        expand: %{Stripped-User-Name} ->
[mschap]        ... expanding second conditional
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap]        expand: %{User-Name:-None} -> sm18818
[mschap]        expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=sm18818
[mschap]  mschap2: c7
[mschap] Creating challenge hash with username: sm18818
[mschap]        expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e8c9f13e6c1cd2a3
[mschap]        expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad
Exec-Program output: Logon failure (0xc000006d)
Exec-Program-Wait: plaintext: Logon failure (0xc000006d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server packetfence-tunnel
[peap] Got tunneled reply code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        MS-CHAP-Error = "\010E=691 R=1"
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 169 to 10.1.1.21 port 1645
        EAP-Message = 0x0109002b1900170301002046a93765d835a4d9441c538ef7abcb1ef20e14d69d31cd9afbf8bd34f017fb64
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd8956e82df9c77cd0f3a27e6f3c50521
Finished request 7.
Going to the next request
Waking up in 3.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.21 port 1645, id=170, length=244
        User-Name = "sm18818"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "00-09-E8-98-A0-02"
        Calling-Station-Id = "00-24-54-42-86-04"
        EAP-Message = 0x0209002b19001703010020d6f77af2663bc82ac052d9afb815c2b900be28fa33360b6f6ce08326d867b3cc
        Message-Authenticator = 0xa004edde5ec362abceec91909403265a
        Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314"
        NAS-Port-Type = Ethernet
        NAS-Port = 50002
        NAS-Port-Id = "FastEthernet0/2"
        State = 0xd8956e82df9c77cd0f3a27e6f3c50521
        NAS-IP-Address = 10.1.1.21
server packetfence {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "sm18818", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server packetfence
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> sm18818
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 170 to 10.1.1.21 port 1645
        Password-Retry := 3
        EAP-Message = 0x04090004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.



Is there somewhere else I need to enable this attribute?  Does it need adding to the dictionary on the client?

Cheers,
Andi
________________________________

>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120216/ca31352f/attachment.html>


More information about the Freeradius-Users mailing list