Password Policy - Expired Password - mschap
Alan DeKok
aland at deployingradius.com
Thu Aug 12 23:52:43 CEST 2010
Theparanoidone Theparanoidone wrote:
> We have successfully implemented a test patch. This test patch moves away from
> implementing mschapv2 in the client connection and specifying PAP. It changes
> the opendirectory response, and only requires two lines of code to change in
> rlm_opendirectory.c. I include the updated block of code here:
You are welcome to maintain this patch locally. i.e. on your system.
"git" makes this easy.
However, it cannot be added to the server.
> Long term to make a patch like this useful... perhaps a freeradius configuration
> option called "allowExpiredPasswordsAndPasswordResets = yes" could be
> implemented.... (unless there is an easier way to do this in Post-Auth-Reject..
> see my request above).
Check the password by hand, using a shell script.
> I am still interested in:
>
> 1) An example Auth-Post-Reject example (basic code block and where to place it
> as my attempts have failed)
You can't turn a reject into an accept.
> 2) If anyone has any additional information about EAPOL Logoff packets being
> transmitted on client password reset prompts, I'd be interested in hearing about
> it.
No one else does password changes that way.
> 3) A long term solution; I don't believe password expirations are that uncommon
> anymore with all the security requirements (HIPPA, PCI, etc etc) that depend
> upon this.
Password change is not part of RADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list