how to add MSCHAPV2 Retry Max

Alan DeKok aland at
Fri May 13 15:09:31 CEST 2011

John.Hayward at wrote:
>>  What's a "session"?
> I probably used the wrong term here.  What I intended to say was
> something like a "Negotiation" sequence.  In rfc2759

  That's nice.  What does that have to do with RADIUS?

  I'm not being obtuse here... I really mean that you need to look at
how this interacts with RADIUS.

  Hint: it doesn't.

> Keeping track of the number of retries used in the current "Negotiation"
> sequence is what I am attempting.

  As I've said repeatedly:

>>  The RADIUS server doesn't track sessions.
>>  MSCHAP authentication doesn't involve the idea of "sessions".  Look at
>> rlm_mschap: there is no session tracking.
> I'll look at EAP module and see if the retry counter could be used to
> keep track of the retries of a particular "Negotiation" sequence of the
> MSCHAP authentication.


  You will need to write the same kind of session tracking in MSCHAP as
is currently done in EAP.  You *cannot* re-use the EAP session tracking.

  And for 99% of the situations, session tracking in MS-CHAP is pointless.

  You're MUCH better off using a DB.  Really.  That's why I suggested
it.  I'm not an idiot.

  Alan DeKok.

More information about the Freeradius-Devel mailing list