I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent.
Ah gotcha. Thanks for the detail! As Alan has suggested in his other email, you can change the "MS-CHAP-Error" in the post-auth section: post-auth { Post-Auth-Type REJECT { if (reply:MS-CHAP-Error =~ /E=691 R=1/) { update reply { MS-CHAP-Error := "E=691 R=0" } } } }
If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password.
...but I'm not sure this will work. The reason being, if you're using wireless you're probably using PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner - that is, it is *not* raw mschap inside the tunnel. The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 ...ignoring any errors the "mschap" module might have generated. So in theory at least, FreeRadius is already doing what you want for EAP-MSCHAP, and changing it won't help.