Theparanoidone Theparanoidone wrote:
We have successfully implemented a test patch. This test patch moves away from implementing mschapv2 in the client connection and specifying PAP. It changes the opendirectory response, and only requires two lines of code to change in rlm_opendirectory.c. I include the updated block of code here:
You are welcome to maintain this patch locally. i.e. on your system. "git" makes this easy. However, it cannot be added to the server.
Long term to make a patch like this useful... perhaps a freeradius configuration option called "allowExpiredPasswordsAndPasswordResets = yes" could be implemented.... (unless there is an easier way to do this in Post-Auth-Reject.. see my request above).
Check the password by hand, using a shell script.
I am still interested in:
1) An example Auth-Post-Reject example (basic code block and where to place it as my attempts have failed)
You can't turn a reject into an accept.
2) If anyone has any additional information about EAPOL Logoff packets being transmitted on client password reset prompts, I'd be interested in hearing about it.
No one else does password changes that way.
3) A long term solution; I don't believe password expirations are that uncommon anymore with all the security requirements (HIPPA, PCI, etc etc) that depend upon this.
Password change is not part of RADIUS. Alan DeKok.