Password-Retry attribute

Phil Mayers p.mayers at imperial.ac.uk
Thu Feb 16 10:49:49 CET 2012


On 02/16/2012 09:35 AM, Morris, Andi wrote:
> Hi all,
>
> I’m trying to configure my freeradius server to prompt the user to
> retype their credentials if they mistype the username or password so
> that they can be authenticated via dot1x.

Does your NAS support this attribute? You are sending it just fine:

>
> Sending Access-Reject of id 170 to 10.1.1.21 port 1645
>   Password-Retry := 3
>   EAP-Message = 0x04090004
>   Message-Authenticator = 0x00000000000000000000000000000000
>
> Waking up in 2.9 seconds.
>
> Is there somewhere else I need to enable this attribute? Does it need
> adding to the dictionary on the client?

What do you mean by "client" here?

"Client" is normally used to refer to the 802.1x supplicant (e.g. PC, 
laptop, mobile device, etc.). These devices don't speak radius, so won't 
see any attributes you send.

The switch/access point are usually referred to as the NAS. The NAS does 
speak radius, but must support any attributes you want to send it.

I've never seen this attribute before, and don't quite know what you 
expect it to do. RFC 2869 indicates it is intended to specify "how many 
authentication attempts a client is permitted before disconnection" 
which is not really in the spirit of RADIUS; Access-Reject MEANS 
"disconnect".

tl;dr - I don't think this attribute will work for you.

802.1x NAS devices usually have various retry / lockout counters you can 
configure via the GUI/CLI. These are probably what you want.



More information about the Freeradius-Users mailing list