Password Policy - Expired Password - mschap

Alan DeKok aland at deployingradius.com
Thu Aug 12 10:32:45 CEST 2010 

Theparanoidone Theparanoidone wrote:
> We are working on a patch.

  Good, thanks.

> We're of the opinion that Apple's version rlm_mschap / opendir included 
> with freeradius is missing something.
> 
> It appears they were only considering someone entering a failed 
> login/password combo... not a user with a password reset or an expired 
> password.  Here is the line from opendir.c:

  Pretty much, yes.  Expired passwords, or password resets are "failed
logins", just like incorrect passwords.

> ======
> if (status != eDSNoErr) 
> {
> errno = EACCES;
> radlog(L_ERR, "rlm_mschap: authentication failed %d", status); /* <-- 
> returns -14091 (eDSAuthMethodNotSupported) -14090 */
> return RLM_MODULE_REJECT;
> }
> ======
> 
> The comment provided makes it seem like they only expected error -14090...

  So?  It's a comment.  It doesn't affect the way that the code operates.

> -14090: eDSAuthFailed
> 0: eDSNoErr
> 
> But what about?
> 
> -14161: eDSAuthNewPasswordRequired
> -14162: eDSAuthPasswordExpired

  They all fall into the same class: failed authentication.

> 
> Possible solutions:
> ---------------------------
> Solution 1)  Edit the opendir.c module to simple detect error status -14161 and 
> -14162... and simply set the status to 0 instead. 

  Absolutely not.  Expired passwords are *not* OK.

> Solution 2) Try and rig up something in Post-Auth-Type REJECT {...}  to override 
> the failed login and force the response to Auth-Accept.   Perhaps, some pseudo 
> conf code that says if reject-message == -14162 || reject-message == -14161 ... 
> then "ok update auth-type := accept

  No.  That's just as bad.

> (PS... looks like this has been an issue for awhile??? we are new to 
> freeradius... but I found your post here: 
>  http://www.opensubscriber.com/message/freeradius-devel@lists.freeradius.org/5906511.html
>  from 3 years ago ... are we the only few interested in port security and a 
> password policy?)

  Nonsense.  That is not a good conclusion.

  The real reason is that very few people do password changes via
MS-CHAP.  Most people do it via Active Directory, LDAP, web pages, etc.

  Alan DeKok.

More information about the Freeradius-Users mailing list