Password Policy - Expired Password - mschap

Theparanoidone Theparanoidone theparanoidone at yahoo.com
Wed Aug 11 22:02:01 CEST 2010


Greetings~

We are using FreeRadius 2.1.3 (on snow leopard server).

All users are authenticating with vlan assignments correctly; however, if you 
enable the ldap/(opendirectory) option to "require user to change password on 
next login" the client is unable to connect.  The client login screen will not 
proceed to prompt the user for a new password; it's simply rejected.

If you remove the password policy forcing a password reset, then the user can 
authenticate.

In other words, it appears radius (mschap / ntlm_auth) is specifically 
rejecting the user if the user has a password reset flag set.

Here is a snippet from the radius server debug log:

Failed auth:
=======
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] No NT-Password configured. Trying OpenDirectory Authentication.
[mschap] OD username_string = adouglas, OD shortUserName=adouglas (length
= 8)
rlm_mschap: authentication failed -14161
++[mschap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "142"
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> adouglas
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 15 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 15
Sending Access-Reject of id 245 to 10.0.200.3 port 53907
EAP-Message = 0x04030004
Message-Authenticator = 0x00000000000000000000000000000000
=======


Success auth:
=======
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] No NT-Password configured. Trying OpenDirectory Authentication.
[mschap] OD username_string = adouglas, OD shortUserName=adouglas (length
= 8)
[mschap] dsDoDirNodeAuth returns stepbuff:
S=67322D06B7A0A7BB9EBC681EAAEE6FB197CDDCB2 (len=40)
++[mschap] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "142"
MS-CHAP2-Success =
0xa9533d36373332324430364237413041374242394542433638314541414545364642313937434444434232

[ttls] Got tunneled Access-Accept
=======

One last thing to note, if we specifically allow all users to authenticate (as 
described in the FAQ with DEFAULT AuthType := Accept), the client login screen 
will proceed to prompt the user to update a new password.

Is there a way to handle password policies (either by ignoring it during mschap, 
or adding a pre/post filter of some sort)?

Any help would greatly be appreciated, thanks in advance,
--jsmith


      



More information about the Freeradius-Users mailing list