Password-Retry attribute

Morris, Andi amorris at cardiffmet.ac.uk
Thu Feb 16 10:57:31 CET 2012 

Thanks Phil that's helpful.

I want my users to be prompted to re-enter the password if they enter it wrong up to a certain number of times, so it may well be I need to look at my Cisco switch, or maybe the Packetfence Network Access Controller to provide this ability.

Cheers,
Andi

-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Phil Mayers
Sent: 16 February 2012 09:50
To: freeradius-users at lists.freeradius.org
Subject: Re: Password-Retry attribute

On 02/16/2012 09:35 AM, Morris, Andi wrote:
> Hi all,
>
> I'm trying to configure my freeradius server to prompt the user to
> retype their credentials if they mistype the username or password so
> that they can be authenticated via dot1x.

Does your NAS support this attribute? You are sending it just fine:

>
> Sending Access-Reject of id 170 to 10.1.1.21 port 1645
>   Password-Retry := 3
>   EAP-Message = 0x04090004
>   Message-Authenticator = 0x00000000000000000000000000000000
>
> Waking up in 2.9 seconds.
>
> Is there somewhere else I need to enable this attribute? Does it need
> adding to the dictionary on the client?

What do you mean by "client" here?

"Client" is normally used to refer to the 802.1x supplicant (e.g. PC, laptop, mobile device, etc.). These devices don't speak radius, so won't see any attributes you send.

The switch/access point are usually referred to as the NAS. The NAS does speak radius, but must support any attributes you want to send it.

I've never seen this attribute before, and don't quite know what you expect it to do. RFC 2869 indicates it is intended to specify "how many authentication attempts a client is permitted before disconnection"
which is not really in the spirit of RADIUS; Access-Reject MEANS "disconnect".

tl;dr - I don't think this attribute will work for you.

802.1x NAS devices usually have various retry / lockout counters you can configure via the GUI/CLI. These are probably what you want.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________

>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

More information about the Freeradius-Users mailing list