MS-CHAP-Error

[Phil Mayers]

All,

We're rolling out a password-expiry policy here, and it's been suggested 
that it would be helpful for the VPN to prompt a user to change their 
password, rather than just lock them out.

The VPN is poptop on Linux, authing to FreeRadius, which current talks 
to winbind and then to our w2k3 servers but may be moving to proxy the 
final inner mschap to IAS (all the policy checks and interesting stuff 
will be staying on FreeRadius - but using FR2 and a proxy plus pool of 
home servers seems like to give us better failure and recovery 
characteristics when an AD controller goes away)

When we MS-CHAP an expired account we get a MS-CHAP-Error packet in the 
reply as expected:

Sending Access-Request of id 7 to 192.168.29.34 port 1812
         Service-Type = Framed-User
         Framed-Protocol = PPP
         User-Name = "test"
         MS-CHAP-Challenge = 0xSNIP
         MS-CHAP2-Response = 0xSNIP
         Calling-Station-Id = 192.168.55.55
         NAS-IP-Address = 192.168.54.54
         NAS-Port = 0
         Proxy-State = 0x3633
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46
         Proxy-State = 0x3633
         MS-CHAP-Error = "\000E=648 R=0 V=3"

...however FreeRadius obeys the RFCs, and doesn't proxy the 
MS-CHAP-Error packet back to the radius client (pppd "radius.so" plugin) 
so my patches to pppd are unable to act on the error code.

Am I wasting my time?