MS-CHAP-V2 with no retry
John.Hayward at wheaton.edu
John.Hayward at wheaton.edu
Wed Apr 6 22:42:11 CEST 2011
On Wed, 9 Mar 2011, Alan DeKok wrote:
> Date: Wed, 9 Mar 2011 01:25:10
> From: Alan DeKok <aland at deployingradius.com>
> Reply-To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: MS-CHAP-V2 with no retry
>
> John Hayward wrote:
>> Any idea of the time frame?
>
> A long time.
>
>> Should I spend my time looking at the code and proposing a patch?
>
> Sure.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
When there is a failure of the client to match the challenge of the
server:
According to rfc2759 a failure packet in section 6 a failure packet
includes a message like:
"E=eeeeeeeeee R=r C=cccccccccccccccccccccccccccccccc V=vvvvvvvvvv M=<msg>"
where E is the error code, R 1/0 allow/disallow retry C an ascii version
of the challenge V=3 and M= some text message.
After this mschap failure message is sent by the server an acknowledgment
which seems to be have a failure code should be returned from the client.
At that point the server can close the eap connection with a failure.
What the 2.1.10 code (and earlier) appears to do is after mschap is
detected immediately close the eap connection with a failure.
The effect for windows XP/7 machines connecting wirelessly using mschapv2
is that they are presented with a dialog box and can enter new
credentials.
What happens with mac/iphones/androids/ubuntu is that they appear to be
confused and time out and re-send (at various rates) authentication
attempts without presenting a dialog box to the user.
For some environments (such as using Novell NDS to authenticate) if
configured modules/ldap edir_account_policy_check=yes then these repeated
failures result in account lock outs.
Scenario: Institution requires periodic change of password - user uses a
web site to change password - user forgets to update their
mac/iphone/android - user turns on their mac/iphone/android - shortly
after user cannot access any resources (such as blackboard/portal etc)
because their account is locked out.
====== proposed fix ====
Modify freeradius to follow rfc2759.
This requires patches to two source files:
o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms
to rfc2759
o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the
response created by rlm_mschap.c and send that back, also accept an
authentication failure acknowledgment before sending eap failure packet.
Below are the diffs:
=== rlm_mschap.c (from src/modules/rlm_mschap/)
1242,1252c1242
< /* JCH - changes to include challenge and message */
< char msg[100];
< strcpy(msg, "E=691 R=0 C=");
< int i, offset = strlen(msg);
< char *ptr = &msg[offset];
< for (i=0; i<16; i++, ptr+=2) {
< sprintf(ptr, "%02X", response->vp_octets[i+2]);
< }
< *ptr = 0;
< strcat(msg, " V=3 M=May Need to reset cashed password"
);
< mschap_add_reply(request, &request->reply->vps,
---
> mschap_add_reply(request, &request->reply->vps,
1254c1244
< "MS-CHAP-Error", msg, strlen(msg));
---
> "MS-CHAP-Error", "E=691 R=1", 9);
1299d1288
< /* JCH should we check for MS-CHAPV2 and modify the reply to include challenge
? */
====
==== from /src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
198c198,200
< length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN;
---
> /* JCH need to be change length to work with full v2 message */
> //length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN;
> length = 4 + reply->length-1;
215c217,222
< memcpy((eap_ds->request->type.data + 4),
MSCHAPV2_FAILURE_MESSAG
E, MSCHAPV2_FAILURE_MESSAGE_LEN);
---
> /* JCH need to copy the failure message from mschapv2 - it contains
ascii
> version of the challenge C=...
> */
> memcpy((eap_ds->request->type.data + 4),
(reply->vp_strvalue+1),
> (reply->length-1));
> //MSCHAPV2_FAILURE_MESSAGE, MSCHAPV2_FAILURE_MESSAGE_LEN);
487a495,505
> /*JCH added - is this is an ack of a failure message */
> case PW_EAP_MSCHAPV2_FAILURE:
> if (data->code != PW_EAP_MSCHAPV2_FAILURE) {
> radlog(L_ERR, "rlm_eap_mschapv2: Unexpected FAILURE received");
> return 0;
> }
> //JCH needed??? handler->request->options &=
~RAD_REQUEST_OPTION
_PROXY_EAP;
> eap_ds->request->code = PW_EAP_FAILURE;
> return 1;
> break;
>
658a677,680
> /* JCH this is in response to the failure ack - return
> failure packet - don't return yet need to send
> */
>
660,662c682
< return 1;
< #if 0
< pairmove2(&handler->request->reply->vps, &response
---
> pairmove2(&response, &handler->request->reply->vps,
665d684
< #endif
======
==== Comments ====
o Results:
We have implemented this patch (along with the configuration change
edir_account_policy_check=no) and observe:
1) no more lockouts
2) Mac/Iphones users are now presented with a dialog box where they
can update their password.
o Code:
a) I don't like the 100 character msg variable - there is probably a
better way to do this.
b) There is probably a function in free radius library to do the sprintf
which should be used.
c) samba locked accounts should probably have a similar message
generated if they are mschapv2.
I would be happy if someone could look over these patches and incorporate
the ideas into freeradius for future releases.
johnh...
More information about the Freeradius-Users
mailing list