Sending Access-Challenge instead of Access-Accept using MS-CHAPv2
Lasse Odden
lasse.odden at gmail.com
Mon Mar 13 14:47:18 CET 2017
I tried to add the same MS-CHAP2-Success attribute in the Access-Accept
that the mschap modules sendt in the first authentication process where I
had replaced the Access-Accept with an Access-Challengeand, and this
worked.
So I guess I can save the attribute and then send it again if the passcode
is verified, but this does not seem like a very good solution.
But on the other hand, the encryption of the users passwords are needed.
Do you see any other clever way to solve this?
On Mon, Mar 13, 2017 at 1:48 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Mar 13, 2017, at 7:31 AM, Lasse Odden <lasse.odden at gmail.com> wrote:
> > This is the response I got from Cisco:
> >
> > _________________
> >
> > Thank you for the very detailed instructions. I was able to reproduce the
> > issue and I believe that freeradius is violating rfc2548 section 2.3.3:
>
> So... you configured the server to send Ms-Chap-Challenge in an
> Access-Challenge packet.
>
> FreeRADIUS largely does what you tell it to do.
>
> > Do you have any suggestion or answer to Cisco?
>
> What you're trying to do is impossible. Don't do it.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
More information about the Freeradius-Users
mailing list