<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style>
<!--
@font-face
{font-family:Calibri}
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif"}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline}
p.msochpdefault, li.msochpdefault, div.msochpdefault
{margin-right:0cm;
margin-left:0cm;
font-size:12.0pt;
font-family:"Calibri","sans-serif"}
span.emailstyle17
{font-family:"Calibri","sans-serif";
color:windowtext}
span.EmailStyle19
{}
.MsoChpDefault
{font-size:10.0pt;
font-family:"Calibri","sans-serif"}
@page WordSection1
{margin:72.0pt 72.0pt 72.0pt 72.0pt}
div.WordSection1
{}
-->
</style>
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi all,</p>
<p class="MsoNormal">I’m trying to configure my freeradius server to prompt the user to retype their credentials if they mistype the username or password so that they can be authenticated via dot1x.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I’ve checked my virtual server post-auth and found:</p>
<p class="MsoNormal">post-auth {</p>
<p class="MsoNormal"> exec</p>
<p class="MsoNormal"> packetfence</p>
<p class="MsoNormal"> Post-Auth-Type REJECT {</p>
<p class="MsoNormal"> attr_filter.access_reject</p>
<p class="MsoNormal"> }</p>
<p class="MsoNormal">}</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">So then looked inside attr_filter.access_reject and added the Password-Retry attribute as below:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">DEFAULT</p>
<p class="MsoNormal"> EAP-Message =* ANY,</p>
<p class="MsoNormal"> State =* ANY,</p>
<p class="MsoNormal"> Message-Authenticator =* ANY,</p>
<p class="MsoNormal"> Reply-Message =* ANY,</p>
<p class="MsoNormal"> MS-CHAP-Error =* ANY,</p>
<p class="MsoNormal"> Proxy-State =* ANY,</p>
<p class="MsoNormal"> Password-Retry :=3</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">However when I force my test Windows 7 client to fail using a bad password I’m not reprompted to enter a new password at all.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">When running a debug I see the Password-Retry attribute being sent in the Access-Reject section.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The following results are the debug output:</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">.</p>
<p class="MsoNormal">rad_recv: Access-Request packet from host 10.1.1.21 port 1645, id=169, length=308</p>
<p class="MsoNormal"> User-Name = "sm18818"</p>
<p class="MsoNormal"> Service-Type = Framed-User</p>
<p class="MsoNormal"> Framed-MTU = 1500</p>
<p class="MsoNormal"> Called-Station-Id = "00-09-E8-98-A0-02"</p>
<p class="MsoNormal"> Calling-Station-Id = "00-24-54-42-86-04"</p>
<p class="MsoNormal"> EAP-Message = 0x0208006b19001703010060f87a45874abccfef74c9674f4dcc93d9f804ecc7db489bfa2205e4a5c2f691543d9de8c31c0c84fb2da83121280190827555f2e2cb16784fabf62a775b6caca028e7a56405a8c7e64d0e3855a75615e2275ce7a40ace04929dbbf623562650c3</p>
<p class="MsoNormal"> Message-Authenticator = 0xd7a475900d0efb6a752d8c59da3f6dc6</p>
<p class="MsoNormal"> Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314"</p>
<p class="MsoNormal"> NAS-Port-Type = Ethernet</p>
<p class="MsoNormal"> NAS-Port = 50002</p>
<p class="MsoNormal"> NAS-Port-Id = "FastEthernet0/2"</p>
<p class="MsoNormal"> State = 0xd8956e82de9d77cd0f3a27e6f3c50521</p>
<p class="MsoNormal"> NAS-IP-Address = 10.1.1.21</p>
<p class="MsoNormal">server packetfence {</p>
<p class="MsoNormal"># Executing section authorize from file /etc/raddb/sites-enabled/packetfence</p>
<p class="MsoNormal">+- entering group authorize {...}</p>
<p class="MsoNormal">[suffix] No '@' in User-Name = "sm18818", looking up realm NULL</p>
<p class="MsoNormal">[suffix] No such realm "NULL"</p>
<p class="MsoNormal">++[suffix] returns noop</p>
<p class="MsoNormal">++[preprocess] returns ok</p>
<p class="MsoNormal">[eap] EAP packet type response id 8 length 107</p>
<p class="MsoNormal">[eap] Continuing tunnel setup.</p>
<p class="MsoNormal">++[eap] returns ok</p>
<p class="MsoNormal">Found Auth-Type = EAP</p>
<p class="MsoNormal"># Executing group from file /etc/raddb/sites-enabled/packetfence</p>
<p class="MsoNormal">+- entering group authenticate {...}</p>
<p class="MsoNormal">[eap] Request found, released from the list</p>
<p class="MsoNormal">[eap] EAP/peap</p>
<p class="MsoNormal">[eap] processing type peap</p>
<p class="MsoNormal">[peap] processing EAP-TLS</p>
<p class="MsoNormal">[peap] eaptls_verify returned 7</p>
<p class="MsoNormal">[peap] Done initial handshake</p>
<p class="MsoNormal">[peap] eaptls_process returned 7</p>
<p class="MsoNormal">[peap] EAPTLS_OK</p>
<p class="MsoNormal">[peap] Session established. Decoding tunneled attributes.</p>
<p class="MsoNormal">[peap] Peap state phase2</p>
<p class="MsoNormal">[peap] EAP type mschapv2</p>
<p class="MsoNormal">[peap] Got tunneled request</p>
<p class="MsoNormal"> EAP-Message = 0x020800421a0208003d31375d05e236695687a5bd102f646c02450000000000000000ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad00736d3138383138</p>
<p class="MsoNormal">server packetfence {</p>
<p class="MsoNormal">[peap] Setting User-Name to sm18818</p>
<p class="MsoNormal">Sending tunneled request</p>
<p class="MsoNormal"> EAP-Message = 0x020800421a0208003d31375d05e236695687a5bd102f646c02450000000000000000ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad00736d3138383138</p>
<p class="MsoNormal"> FreeRADIUS-Proxied-To = 127.0.0.1</p>
<p class="MsoNormal"> User-Name = "sm18818"</p>
<p class="MsoNormal"> State = 0x7642bbe8764aa17935847ca964c2e70f</p>
<p class="MsoNormal"> Service-Type = Framed-User</p>
<p class="MsoNormal"> Framed-MTU = 1500</p>
<p class="MsoNormal"> Called-Station-Id = "00-09-E8-98-A0-02"</p>
<p class="MsoNormal"> Calling-Station-Id = "00-24-54-42-86-04"</p>
<p class="MsoNormal"> Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314"</p>
<p class="MsoNormal"> NAS-Port-Type = Ethernet</p>
<p class="MsoNormal"> NAS-Port = 50002</p>
<p class="MsoNormal"> NAS-Port-Id = "FastEthernet0/2"</p>
<p class="MsoNormal"> NAS-IP-Address = 10.1.1.21</p>
<p class="MsoNormal">server packetfence-tunnel {</p>
<p class="MsoNormal"># Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel</p>
<p class="MsoNormal">+- entering group authorize {...}</p>
<p class="MsoNormal">[suffix] No '@' in User-Name = "sm18818", looking up realm NULL</p>
<p class="MsoNormal">[suffix] No such realm "NULL"</p>
<p class="MsoNormal">++[suffix] returns noop</p>
<p class="MsoNormal">[eap] EAP packet type response id 8 length 66</p>
<p class="MsoNormal">[eap] No EAP Start, assuming it's an on-going EAP conversation</p>
<p class="MsoNormal">++[eap] returns updated</p>
<p class="MsoNormal">++[files] returns noop</p>
<p class="MsoNormal">++[expiration] returns noop</p>
<p class="MsoNormal">++[logintime] returns noop</p>
<p class="MsoNormal">Found Auth-Type = EAP</p>
<p class="MsoNormal"># Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel</p>
<p class="MsoNormal">+- entering group authenticate {...}</p>
<p class="MsoNormal">[eap] Request found, released from the list</p>
<p class="MsoNormal">[eap] EAP/mschapv2</p>
<p class="MsoNormal">[eap] processing type mschapv2</p>
<p class="MsoNormal">[mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel</p>
<p class="MsoNormal">[mschapv2] +- entering group MS-CHAP {...}</p>
<p class="MsoNormal">[mschap] Creating challenge hash with username: sm18818</p>
<p class="MsoNormal">[mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password</p>
<p class="MsoNormal">[mschap] expand: %{Stripped-User-Name} -></p>
<p class="MsoNormal">[mschap] ... expanding second conditional</p>
<p class="MsoNormal">[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details</p>
<p class="MsoNormal">[mschap] expand: %{User-Name:-None} -> sm18818</p>
<p class="MsoNormal">[mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=sm18818</p>
<p class="MsoNormal">[mschap] mschap2: c7</p>
<p class="MsoNormal">[mschap] Creating challenge hash with username: sm18818</p>
<p class="MsoNormal">[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e8c9f13e6c1cd2a3</p>
<p class="MsoNormal">[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad</p>
<p class="MsoNormal">Exec-Program output: Logon failure (0xc000006d)</p>
<p class="MsoNormal">Exec-Program-Wait: plaintext: Logon failure (0xc000006d)</p>
<p class="MsoNormal">Exec-Program: returned: 1</p>
<p class="MsoNormal">[mschap] External script failed.</p>
<p class="MsoNormal">[mschap] FAILED: MS-CHAP2-Response is incorrect</p>
<p class="MsoNormal">++[mschap] returns reject</p>
<p class="MsoNormal">[eap] Freeing handler</p>
<p class="MsoNormal">++[eap] returns reject</p>
<p class="MsoNormal">Failed to authenticate the user.</p>
<p class="MsoNormal">} # server packetfence-tunnel</p>
<p class="MsoNormal">[peap] Got tunneled reply code 3</p>
<p class="MsoNormal"> MS-CHAP-Error = "\010E=691 R=1"</p>
<p class="MsoNormal"> EAP-Message = 0x04080004</p>
<p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p>
<p class="MsoNormal">[peap] Got tunneled reply RADIUS code 3</p>
<p class="MsoNormal"> MS-CHAP-Error = "\010E=691 R=1"</p>
<p class="MsoNormal"> EAP-Message = 0x04080004</p>
<p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p>
<p class="MsoNormal">[peap] Tunneled authentication was rejected.</p>
<p class="MsoNormal">[peap] FAILURE</p>
<p class="MsoNormal">++[eap] returns handled</p>
<p class="MsoNormal">} # server packetfence</p>
<p class="MsoNormal">Sending Access-Challenge of id 169 to 10.1.1.21 port 1645</p>
<p class="MsoNormal"> EAP-Message = 0x0109002b1900170301002046a93765d835a4d9441c538ef7abcb1ef20e14d69d31cd9afbf8bd34f017fb64</p>
<p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p>
<p class="MsoNormal"> State = 0xd8956e82df9c77cd0f3a27e6f3c50521</p>
<p class="MsoNormal">Finished request 7.</p>
<p class="MsoNormal">Going to the next request</p>
<p class="MsoNormal">Waking up in 3.9 seconds.</p>
<p class="MsoNormal">rad_recv: Access-Request packet from host 10.1.1.21 port 1645, id=170, length=244</p>
<p class="MsoNormal"> User-Name = "sm18818"</p>
<p class="MsoNormal"> Service-Type = Framed-User</p>
<p class="MsoNormal"> Framed-MTU = 1500</p>
<p class="MsoNormal"> Called-Station-Id = "00-09-E8-98-A0-02"</p>
<p class="MsoNormal"> Calling-Station-Id = "00-24-54-42-86-04"</p>
<p class="MsoNormal"> EAP-Message = 0x0209002b19001703010020d6f77af2663bc82ac052d9afb815c2b900be28fa33360b6f6ce08326d867b3cc</p>
<p class="MsoNormal"> Message-Authenticator = 0xa004edde5ec362abceec91909403265a</p>
<p class="MsoNormal"> Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314"</p>
<p class="MsoNormal"> NAS-Port-Type = Ethernet</p>
<p class="MsoNormal"> NAS-Port = 50002</p>
<p class="MsoNormal"> NAS-Port-Id = "FastEthernet0/2"</p>
<p class="MsoNormal"> State = 0xd8956e82df9c77cd0f3a27e6f3c50521</p>
<p class="MsoNormal"> NAS-IP-Address = 10.1.1.21</p>
<p class="MsoNormal">server packetfence {</p>
<p class="MsoNormal"># Executing section authorize from file /etc/raddb/sites-enabled/packetfence</p>
<p class="MsoNormal">+- entering group authorize {...}</p>
<p class="MsoNormal">[suffix] No '@' in User-Name = "sm18818", looking up realm NULL</p>
<p class="MsoNormal">[suffix] No such realm "NULL"</p>
<p class="MsoNormal">++[suffix] returns noop</p>
<p class="MsoNormal">++[preprocess] returns ok</p>
<p class="MsoNormal">[eap] EAP packet type response id 9 length 43</p>
<p class="MsoNormal">[eap] Continuing tunnel setup.</p>
<p class="MsoNormal">++[eap] returns ok</p>
<p class="MsoNormal">Found Auth-Type = EAP</p>
<p class="MsoNormal"># Executing group from file /etc/raddb/sites-enabled/packetfence</p>
<p class="MsoNormal">+- entering group authenticate {...}</p>
<p class="MsoNormal">[eap] Request found, released from the list</p>
<p class="MsoNormal">[eap] EAP/peap</p>
<p class="MsoNormal">[eap] processing type peap</p>
<p class="MsoNormal">[peap] processing EAP-TLS</p>
<p class="MsoNormal">[peap] eaptls_verify returned 7</p>
<p class="MsoNormal">[peap] Done initial handshake</p>
<p class="MsoNormal">[peap] eaptls_process returned 7</p>
<p class="MsoNormal">[peap] EAPTLS_OK</p>
<p class="MsoNormal">[peap] Session established. Decoding tunneled attributes.</p>
<p class="MsoNormal">[peap] Peap state send tlv failure</p>
<p class="MsoNormal">[peap] Received EAP-TLV response.</p>
<p class="MsoNormal">[peap] The users session was previously rejected: returning reject (again.)</p>
<p class="MsoNormal">[peap] *** This means you need to read the PREVIOUS messages in the debug output</p>
<p class="MsoNormal">[peap] *** to find out the reason why the user was rejected.</p>
<p class="MsoNormal">[peap] *** Look for "reject" or "fail". Those earlier messages will tell you.</p>
<p class="MsoNormal">[peap] *** what went wrong, and how to fix the problem.</p>
<p class="MsoNormal">[eap] Handler failed in EAP/peap</p>
<p class="MsoNormal">[eap] Failed in EAP select</p>
<p class="MsoNormal">++[eap] returns invalid</p>
<p class="MsoNormal">Failed to authenticate the user.</p>
<p class="MsoNormal">} # server packetfence</p>
<p class="MsoNormal">Using Post-Auth-Type Reject</p>
<p class="MsoNormal"># Executing group from file /etc/raddb/sites-enabled/packetfence</p>
<p class="MsoNormal">+- entering group REJECT {...}</p>
<p class="MsoNormal">[attr_filter.access_reject] expand: %{User-Name} -> sm18818</p>
<p class="MsoNormal">attr_filter: Matched entry DEFAULT at line 11</p>
<p class="MsoNormal">++[attr_filter.access_reject] returns updated</p>
<p class="MsoNormal">Delaying reject of request 8 for 1 seconds</p>
<p class="MsoNormal">Going to the next request</p>
<p class="MsoNormal">Waking up in 0.9 seconds.</p>
<p class="MsoNormal">Sending delayed reject for request 8</p>
<p class="MsoNormal">Sending Access-Reject of id 170 to 10.1.1.21 port 1645</p>
<p class="MsoNormal"> Password-Retry := 3</p>
<p class="MsoNormal"> EAP-Message = 0x04090004</p>
<p class="MsoNormal"> Message-Authenticator = 0x00000000000000000000000000000000</p>
<p class="MsoNormal">Waking up in 2.9 seconds.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Is there somewhere else I need to enable this attribute? Does it need adding to the dictionary on the client?</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Cheers,</p>
<p class="MsoNormal">Andi</p>
</div>
<hr>
<br>
>From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University
will now be sent from the new @cardiffmet.ac.uk address. <b>Please could you ensure that all of your contact records and databases are updated to reflect this change.</b> Further information can be found on the website
<a href="http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx">here.</a>
<br>
</body>
</html>