Hello, I have environment with Freeradius 3.0.17 and samba 4.8 AD DC authenticating windows 10 clients over LAN with EAP-PEAP. To start off, I know that ntlm_auth is used ant that is just a tool used by freeradius, so if my issue has nothing to do with freeradius, do say so, I'll ask around samba mailing list. I did configure freeradius to allow expired password changes (in mschap and eap modules), but what I did not realize is that there is an exception, where password change goes wrong. A scenario is this: - user has expired password (either because it "just" expired, or because user forgot password, and it was reset with "user must change at next logon") - user enters enters expired password - user is allowed to change password (user prompt to enter new password) and then: a) if user enters and re-enters new password, all is fine, password is changed (hurray!) b) if user enters mismatched passwords, all works as intended (error prompts: entered password do not match, user gets another chance) (great!) and now the (in my opinion) incorrect behaviour c): user enters and re-enters new password during change that does not comply with domain password complexity policy (too short, not complex, or repetitive). In this scenario freeradius debug shows error like this: (24) mschap: Doing MS-CHAPv2 password change via ntlm_auth helper (24) mschap: EXPAND username: %{mschap:User-Name} (24) mschap: --> username: some-username (24) mschap: EXPAND nt-domain: somedomain (24) mschap: --> nt-domain: somedomain (24) mschap: ntlm_auth said: Password-Change: No Password-Change-Error: The transport connection is now disconnected. . . (24) mschap: ERROR: ntlm auth password change failed: Password-Change-Error: The transport connection is now disconnected. (24) mschap: ERROR: Password change failed (24) [mschap] = reject (24) } # authenticate = reject (24) MSCHAP-Error: 3E=709 R=0 M=Password change failed (24) Could not parse new challenge from MS-CHAP-Error: 2 (24) ERROR: MSCHAP Failure At this point 802.1x authentication ends, windows starts another authentication session for windows-host (and succeeds), BUT on the other hand user still sees password change prompt, just "ordinary", not the one that is related to 802.1x and with correct error reason (password does not comply with domain password policy). What happens next is this: IF user still tries to change their password they might succeed, windows will start another 802.1x session and this time with already changed password 802.1x login will just work. But it's not always the case and overall it seems wrong. Sometimes user gets in a "password change loop", that is: prompt to change password, doesn't matter what user will enter, another "your password has expired - change your password" screen will appear, with no real connection being sent. Overall it's really messy and confusing to users. I'm not sure if it's more samba related (since it's ntlm_auth that's being used) or freeradius and just different error handling? Correct behaviour in my opinion for c) would be similar to scenario b), that is - without breaking 802.1x authentication session, give user another chance to change password with proper information (that password does not comply with domain policy settings), instead of just "failure". Unfortunately I don't have access to pure windows environment with windows NPS and windows DC to see, how this scenario is handled there as comparison. I can get more information (full debug, configuration etc.), when/if needed. I will be thankful for some input, wether it's something that can be fixed/worked around or just something that I'll have to live with. Regards, Kacper