I tried to add the same MS-CHAP2-Success attribute in the Access-Accept that the mschap modules sendt in the first authentication process where I had replaced the Access-Accept with an Access-Challengeand, and this worked. So I guess I can save the attribute and then send it again if the passcode is verified, but this does not seem like a very good solution. But on the other hand, the encryption of the users passwords are needed. Do you see any other clever way to solve this? On Mon, Mar 13, 2017 at 1:48 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Mar 13, 2017, at 7:31 AM, Lasse Odden <lasse.odden@gmail.com> wrote:
This is the response I got from Cisco:
_________________
Thank you for the very detailed instructions. I was able to reproduce the issue and I believe that freeradius is violating rfc2548 section 2.3.3:
So... you configured the server to send Ms-Chap-Challenge in an Access-Challenge packet.
FreeRADIUS largely does what you tell it to do.
Do you have any suggestion or answer to Cisco?
What you're trying to do is impossible. Don't do it.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html