Password Policy - Expired Password - mschap

Alan DeKok aland at deployingradius.com
Thu Aug 12 23:52:43 CEST 2010


Theparanoidone Theparanoidone wrote:
> We have successfully implemented a test patch.  This test patch moves away from 
> implementing mschapv2 in the client connection and specifying PAP.  It changes 
> the opendirectory response, and only requires two lines of code to change in 
> rlm_opendirectory.c.  I include the updated block of code here:

  You are welcome to maintain this patch locally.  i.e. on your system.
 "git" makes this easy.

  However, it cannot be added to the server.

> Long term to make a patch like this useful... perhaps a freeradius configuration 
> option called "allowExpiredPasswordsAndPasswordResets = yes" could be 
> implemented.... (unless there is an easier way to do this in Post-Auth-Reject.. 
> see my request above).  

 Check the password by hand, using a shell script.

> I am still interested in:
> 
> 1) An example Auth-Post-Reject example (basic code block and where to place it 
> as my attempts have failed)

  You can't turn a reject into an accept.

> 2) If anyone has any additional information about EAPOL Logoff packets being 
> transmitted on client password reset prompts, I'd be interested in hearing about 
> it.

  No one else does password changes that way.

> 3) A long term solution; I don't believe password expirations are that uncommon 
> anymore with all the security requirements (HIPPA, PCI, etc etc) that depend 
> upon this.

  Password change is not part of RADIUS.

  Alan DeKok.



More information about the Freeradius-Users mailing list