On 10/04/2011 12:57, James J J Hooper wrote:
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
Also, args to pairmove2 are wrong way around, as attached.
After that last change (p4.txt.gz), I think it's now doing the right thing:
* wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present.
* With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box.
* With allow_retry = yes, XP pops a "click to process credentials" bubble, then a "type your password again" box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png
...Although, when you correct the password in the 'allow_retry = yes" popup, I don't think FR has got the bit to handle that yet:
Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received << *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh1761-s@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE
I think it needs two things now: 1) Something like: @@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data->code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, "rlm_eap_mschapv2: Unexpected response received"); + if ((data->code != PW_EAP_MSCHAPV2_CHALLENGE) && (data->code != PW_EAP_MSCHAPV2_FAILURE)) { + radlog(L_ERR, "rlm_eap_mschapv2: Unexpected response received: %d", data->code); return 0; } ... because the response to our MSCHAPV2_FAILURE seems to be a MSCHAPV2_FAILURE 2) if (inst->retry_msg) { snprintf(buffer + 9, sizeof(buffer), " C="); for (i = 0; i < 16; i++) { snprintf(buffer + 12 + i*2, sizeof(buffer), "%02x", fr_rand() & 0xff); } This C=<random> needs to be saved and eventually make it's way in to data->challenge so that the line lower down: memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN); has the correct challenge, and can then process the clients "retry" correctly? (help, I havn't managed to work out the mechanism from the current challenge generation bits yet!) -James