Password Policy - Expired Password - mschap

Theparanoidone Theparanoidone theparanoidone at yahoo.com
Fri Aug 13 00:45:22 CEST 2010 

Hi Alan~

Thank you for the reply; your response helps saves me some time.

> 3) A long term solution; I don't believe password expirations are that 
>uncommon 
> anymore with all the security requirements (HIPPA, PCI, etc etc) that depend 
> upon this.

>>>>  Password change is not part of RADIUS.

I am new to radius, and although it is now clear that "expired passwords == user 
is blocked until they can authenticate from some other computer" ... I'm just 
surprised.

I guess an alternate method is to implement login scripts to check if a users 
password expiration is approaching, and if so... prompt the user to update it 
before it expires (via, email, popup, whatever).

Is that what the rest of radius users do / a best practice?

Thanks for all your help... all and all, freeradius is awesome.

Thanks!



----- Original Message ----
From: Alan DeKok <aland at deployingradius.com>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Thu, August 12, 2010 2:52:43 PM
Subject: Re: Password Policy - Expired Password - mschap

Theparanoidone Theparanoidone wrote:
> We have successfully implemented a test patch.  This test patch moves away from 
>
> implementing mschapv2 in the client connection and specifying PAP.  It changes 

> the opendirectory response, and only requires two lines of code to change in 
> rlm_opendirectory.c.  I include the updated block of code here:

  You are welcome to maintain this patch locally.  i.e. on your system.
"git" makes this easy.

  However, it cannot be added to the server.

> Long term to make a patch like this useful... perhaps a freeradius 
>configuration 
>
> option called "allowExpiredPasswordsAndPasswordResets = yes" could be 
> implemented.... (unless there is an easier way to do this in Post-Auth-Reject.. 
>
> see my request above).  

Check the password by hand, using a shell script.

> I am still interested in:
> 
> 1) An example Auth-Post-Reject example (basic code block and where to place it 

> as my attempts have failed)

  You can't turn a reject into an accept.

> 2) If anyone has any additional information about EAPOL Logoff packets being 
> transmitted on client password reset prompts, I'd be interested in hearing 
>about 
>
> it.

  No one else does password changes that way.

> 3) A long term solution; I don't believe password expirations are that uncommon 
>
> anymore with all the security requirements (HIPPA, PCI, etc etc) that depend 
> upon this.

  Password change is not part of RADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list