Hi Alan~ Thank you for the reply; your response helps saves me some time.
3) A long term solution; I don't believe password expirations are that uncommon anymore with all the security requirements (HIPPA, PCI, etc etc) that depend upon this.
Password change is not part of RADIUS.
I am new to radius, and although it is now clear that "expired passwords == user is blocked until they can authenticate from some other computer" ... I'm just surprised. I guess an alternate method is to implement login scripts to check if a users password expiration is approaching, and if so... prompt the user to update it before it expires (via, email, popup, whatever). Is that what the rest of radius users do / a best practice? Thanks for all your help... all and all, freeradius is awesome. Thanks! ----- Original Message ---- From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thu, August 12, 2010 2:52:43 PM Subject: Re: Password Policy - Expired Password - mschap Theparanoidone Theparanoidone wrote:
We have successfully implemented a test patch. This test patch moves away from
implementing mschapv2 in the client connection and specifying PAP. It changes
the opendirectory response, and only requires two lines of code to change in rlm_opendirectory.c. I include the updated block of code here:
You are welcome to maintain this patch locally. i.e. on your system. "git" makes this easy. However, it cannot be added to the server.
Long term to make a patch like this useful... perhaps a freeradius configuration
option called "allowExpiredPasswordsAndPasswordResets = yes" could be implemented.... (unless there is an easier way to do this in Post-Auth-Reject..
see my request above).
Check the password by hand, using a shell script.
I am still interested in:
1) An example Auth-Post-Reject example (basic code block and where to place it
as my attempts have failed)
You can't turn a reject into an accept.
2) If anyone has any additional information about EAPOL Logoff packets being transmitted on client password reset prompts, I'd be interested in hearing about
it.
No one else does password changes that way.
3) A long term solution; I don't believe password expirations are that uncommon
anymore with all the security requirements (HIPPA, PCI, etc etc) that depend upon this.
Password change is not part of RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html