eduroam howto help with the wrong password scenario
Alan DeKok
aland at deployingradius.com
Fri Apr 20 14:54:21 CEST 2018
On Apr 20, 2018, at 8:34 AM, Francesco Malvezzi <francesco.malvezzi at unimore.it> wrote:
> Still, I have a problem. Following the howto with the files setup, I can
> handle the happy path result (user with correct password). Everything works.
That's good.
> If I modify the ~/eapol_test/peap-mschapv2.conf file with:
>
> password="iamthewrongpassword"
>
> the request fails after a while, like the server would give the client a
> second try:
>
> eapol logs:
> [...]
> EAP-MSCHAPV2: password changing protocol version 3
> EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed,
> error 691)
> EAPOL: EAP parameter needed
> [...]
> and it takes 30 secs to issue the "FAILURE" line.
Then you edited your configuration and broke something. The default configuration does *not* do password changes over MSCHAP. The default configuration does *not* wait 30 seconds to reject a user.
Edit the "mschap" module configuration, and disable password changes.
> Why am I missing the:
> linelog_send_reject
> from my logs?
I have no idea. Is it supposed to be there? Why?
> If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log
> line (when password is wrong). And the client takes only one sec to tell
> me there is a failure.
>
> What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch),
You're not describing what you want to do. Therefore we have no idea what you're doing wrong, if anything.
Alan DeKok.
More information about the Freeradius-Users
mailing list