Cisco VPN Radius with expiry & Windows domain password expiration

kesm0724 kevin.smith at emp.shentel.com
Thu Oct 9 23:18:55 CEST 2008


Hello All,

I have a cisco vpn concentrator and in the past have had it pointed to a
Windows IAS Server.  I have now switched to Freeradius and have discovered
that when a user needs to "Change password on next logon" the cisco vpn
client does not prompt for a password change.  Prior to moving to Freeradius
the password change prompt comes up allowing the user to change their
password.  On the concentrator I do have "Radius with Expiry" configured and
have switched back and forth between the IAS Server and the Freeradius
server to ensure it was something particular to the authentication servers
not the concentrator.  

I notice the following in debug:

rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
        expand: --username=%{mschap:User-Name} -> --username=test
 mschap2: 83
        expand: --challenge=%{mschap:Challenge:-00} ->
--challenge=04e843995bfbdbca
        expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=a378afdf127434783890d2e2e4f9d5bd97976a00d2c51fa4
Exec-Program output: Must change password (0xc0000224)
Exec-Program-Wait: plaintext: Must change password (0xc0000224)
Exec-Program: returned: 1
  rlm_mschap: External script failed.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect

I have been looking on Google for windows domain password expiry +
freeradius amongst other search strings all to no avail.  Can anyone tell me
what I'm doing wrong?  

Thanks.


-- 
View this message in context: http://www.nabble.com/Cisco-VPN-Radius-with-expiry---Windows-domain-password-expiration-tp19907575p19907575.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list