Hi All, FR 2.1.x Git, doing PEAP against AD via ntlm_auth. I thought that with: allow_retry = yes [in modules/mschap] and send_error = yes [in modules/eap] ...FR has the functionality to take the second password attempt, and re-try it against AD i.e. The scenario outlined in section 9.1.4 of RFC2759: <http://tools.ietf.org/html/rfc2759#section-9.1.4> I can't get it to work: Configuring as above does indeed make Windows re-prompt for the password if the first attempt is bad, but when this comes back to FR, nothing seems to be done with it. I've had a look at the code. From the little I can understand of it, the new challenge is generated into 'buffer', and sent back to the client in the MS-CHAP-Error attribute (C=<new-challenge>). However the challenge in buffer is not then "put somewhere safe" until the client sends it's response against the new challenge [having re-prompted the user for the correct password], and when the response comes in it isn't sent to do_mschap() Am I mistaken and this functionality hasn't been written yet? ...or have I mis-configured something? Debug snippet appended. Thanks, James ## INITIAL ATTEMPT WITH BAD PASSWORD: Debug: modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 9 length 80 Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going EAP conversation Debug: modsingle[authorize]: returned from eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: +++[eduroamlocaleap-bris-ca] returns updated Debug: ++- else else returns updated Debug: Found Auth-Type = eduroamlocaleap-bris-ca Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: +- entering group eduroamlocaleap-bris-ca {...} Debug: modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: [eduroamlocaleap-bris-ca] Request found, released from the list Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2 Debug: [eduroamlocaleap-bris-ca] processing type mschapv2 Debug: [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: [mschapv2] +- entering group MS-CHAP {...} Debug: [mschapv2] modsingle[authenticate]: calling eduroamlocalmschap (rlm_mschap) for request 629 Debug: [eduroamlocalmschap] Creating challenge hash with username: jh01761@bristol.ac.uk Debug: [eduroamlocalmschap] Told to do MS-CHAPv2 for jh01761@bristol.ac.uk with NT-Password Debug: [eduroamlocalmschap] expand: %{Stripped-User-Name} -> jh01761 Debug: [eduroamlocalmschap] expand: --username=%{%{Stripped-User-Name}:-%{eduroamlocalmschap:User-Name}} -> --username=jh01761 Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function of module eduroamlocalmschap for string 'Challenge' Debug: [eduroamlocalmschap] Creating challenge hash with username: jh01761@bristol.ac.uk Debug: [eduroamlocalmschap] expand: --challenge=%{eduroamlocalmschap:Challenge} -> --challenge=3db717d83ec4e184 Debug: [eduroamlocalmschap] radius_xlat: Running registered xlat function of module eduroamlocalmschap for string 'NT-Response' Debug: [eduroamlocalmschap] expand: --nt-response=%{eduroamlocalmschap:NT-Response} -> --nt-response=0b7588b2a33b43f7379d4bded3d69adcfbe5da07911b8485 Debug: [eduroamlocalmschap] External script failed. Debug: [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect Debug: modsingle[authenticate]: returned from eduroamlocalmschap (rlm_mschap) for request 629 Debug: ++[eduroamlocalmschap] returns reject Debug: ++? if (reject) Debug: >>> RECURSING WITH ... reject) Debug: >>> LOOKING AT reject) Debug: >>> Comparison returned 1 Debug: ? Evaluating (reject) -> TRUE Debug: >>> GOT result 1 Debug: >>> AT EOL -> 1 Debug: >>> AFTER RECURSION ... ) Debug: >>> AT EOL -> 1 Debug: ++? if (reject) -> TRUE Debug: ++- entering if (reject) {...} Debug: ::: FROM 1 TO 25 MAX 26 Debug: ::: Examining UOB-Info-Type Debug: ::: APPENDING UOB-Info-Type FROM 0 TO 25 Debug: ::: TO in 25 out 26 Debug: ::: to[0] = EAP-Message Debug: ::: to[1] = FreeRADIUS-Proxied-To Debug: ::: to[2] = User-Name Debug: ::: to[3] = State Debug: ::: to[4] = Calling-Station-Id Debug: ::: to[5] = Called-Station-Id Debug: ::: to[6] = NAS-Port Debug: ::: to[7] = Cisco-AVPair Debug: ::: to[8] = NAS-IP-Address Debug: ::: to[9] = NAS-Identifier Debug: ::: to[10] = Airespace-Wlan-Id Debug: ::: to[11] = Service-Type Debug: ::: to[12] = Framed-MTU Debug: ::: to[13] = NAS-Port-Type Debug: ::: to[14] = Tunnel-Type Debug: ::: to[15] = Tunnel-Medium-Type Debug: ::: to[16] = Tunnel-Private-Group-Id Debug: ::: to[17] = UOB-Stripped-MAC Debug: ::: to[18] = Stripped-User-Name Debug: ::: to[19] = Realm Debug: ::: to[20] = EAP-Type Debug: ::: to[21] = MS-CHAP-Challenge Debug: ::: to[22] = MS-CHAP2-Response Debug: ::: to[23] = NTLM-User-Name Debug: ::: to[24] = Module-Failure-Message Debug: ::: to[25] = UOB-Info-Type Debug: +++[request] returns reject Debug: modsingle[authenticate]: calling eduroaminfo (rlm_linelog) for request 629 Debug: [eduroaminfo] expand: %{UOB-Info-Type} -> BADP Debug: [eduroaminfo] expand: %{Virtual-Server}.%{%{UOB-Info-Type}:-UNKN} -> eduroamlocal-inner.BADP Debug: [eduroaminfo] expand: BADP, %{UOB-Stripped-MAC}, USER PASSWORD or ADS GROUP INCORRECT [%{User-Name}] [%{Virtual-Server}], [%{Module-Failure-Message}] [%{reply:MS-CHAP-Error}] -> BADP, 68:7f:74:f2:a3:4e, USER PASSWORD or ADS GROUP INCORRECT [jh01761@bristol.ac.uk] [eduroamlocal-inner], [eduroamlocalmschap: External script says Logon failure (0xc000006d)] [\011E=691 R=1 C=077b54f94a5230c9ecb273bfff3ef93b V=3 M=Verify username and re-enter your password] Debug: modsingle[authenticate]: returned from eduroaminfo (rlm_linelog) for request 629 Debug: +++[eduroaminfo] returns ok Debug: modsingle[authenticate]: calling reject (rlm_always) for request 629 Debug: modsingle[authenticate]: returned from reject (rlm_always) for request 629 Debug: +++[reject] returns reject Debug: ++- if (reject) returns reject Debug: modsingle[authenticate]: returned from eduroamlocaleap-bris-ca (rlm_eap) for request 629 Debug: ++[eduroamlocaleap-bris-ca] returns handled ## THEN 4 SECONDS LATER (user has re-typed their password) Debug: ++- entering else else {...} Debug: modsingle[authorize]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 673 Debug: [eduroamlocaleap-bris-ca] EAP packet type response id 10 length 80 Debug: [eduroamlocaleap-bris-ca] No EAP Start, assuming it's an on-going EAP conversation Debug: modsingle[authorize]: returned from eduroamlocaleap-bris-ca (rlm_eap) for request 673 Debug: +++[eduroamlocaleap-bris-ca] returns updated Debug: ++- else else returns updated Debug: Found Auth-Type = eduroamlocaleap-bris-ca Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamlocal-inner Debug: +- entering group eduroamlocaleap-bris-ca {...} Debug: modsingle[authenticate]: calling eduroamlocaleap-bris-ca (rlm_eap) for request 673 Debug: [eduroamlocaleap-bris-ca] Request found, released from the list Debug: [eduroamlocaleap-bris-ca] EAP/mschapv2 Debug: [eduroamlocaleap-bris-ca] processing type mschapv2 Debug: [eduroamlocaleap-bris-ca] Freeing handler Debug: modsingle[authenticate]: returned from eduroamlocaleap-bris-ca (rlm_eap) for request 673 Debug: ++[eduroamlocaleap-bris-ca] returns reject Debug: Failed to authenticate the user. Wed Apr 11 15:53:04 2012 : Auth: Login incorrect: [jh01761@bristol.ac.uk] (from client WISM4 port 13 cli 68:7f:74:f2:a3:4e via TLS tunnel)