MS-CHAP-V2 allow_retry on ldap authentification
Phil Mayers
p.mayers at imperial.ac.uk
Tue Oct 23 10:59:30 CEST 2012
On 10/22/2012 09:13 AM, Daniel Ekman wrote:
> Hi list,
>
> I have a fairly large user base doing WPA2-enterprise from various
> OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is
> authenticating via LDAP and things are running pretty well, only snag
> I have currently with this is when people change their password. I
Change their password where? Elsewhere, right? So, you want to prompt
the clients to enter a new password, because the user has changed
passwords on the server.
> in the latest version allow_retry and retry_msg in the mschap module
> was implemented and this works great on my mac and linux userbase,
> however it does not work for the windows users, the FreeRADIUS server
> is still sending the same things to the user but for some reason there
> is no popup telling the user to change their password so here is my
> actual question, is this supposed to work? should the windows users
> also get the popup saying "please change password"?
Your terminiology is confusing. Do you mean "change password" or
"re-enter your password". Because the two are very, very different.
To be honest, your email is sort of vague and specific at the same time,
if that makes any sense - there's some LDAP, some different set of
accounts, something else...
I've got no idea if Windows can even behave the way you want
>
> judging from what some threads say like this for example
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html
That message predates major changes to the PEAP and EAP-MSCHAPv2 modules
to support password *change* (see why I said it was confusing?). So I'd
be cautious about reading too much into it.
> seems to indicate there are problems but it also sounds like there is
> a solution.
>
> I have also tried adding the send_error setting in eap.conf but that
> only broke things like I read somewhere it would.
...vague much?
Seriously: "radiusd -X"
If I have time today, I'll try to resurrect our "for comparison" NPS
server and see what Microsoft do. It's possible you just can't prompt
Windows in the way you want.
More information about the Freeradius-Users
mailing list