MS-CHAP-V2 with no retry

John Hayward john.hayward at wheaton.edu
Fri Apr 8 15:04:52 CEST 2011


A couple of comments on how clients behave:
o It was my impression based on comments from our support area that the unpatched code (which does not follow the rfc) serving a windows client presented the user with a dialogue box on failure.  I have not tested this.  I assumed that if windows could deal reasonably with a server which did not follow the rfc they could also work with one that did (possibly wrong assumption - but they are the ones which wrote the rfc).

o It is known that various versions of the mac client fail in different respects - however they seem to fail consistently in that if retry is allowed they fail to increment the ID when retrying - on the MS radius server discards the retry because it is not following the protocol. You can get macs to play by configuring the server to not allow retries.  So if you are going to test macs on the MS radius server you might try both with retry and without retry.

o In this case it appears that in this case there have been more issues with mac wpa_clients than windows wpa_clients.

o Testing of both windows and mac with out the patch and with the patch need to be done.
johnh...
________________________________________
From: freeradius-users-bounces+john.hayward=wheaton.edu at lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton.edu at lists.freeradius.org] on behalf of Alan DeKok [aland at deployingradius.com]
Sent: Friday, April 08, 2011 2:54 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry

Phil Mayers wrote:
> +1 - In my experience it's necessary to cater for windows' weirdness
> *first*. Most other clients have sane behaviours. I'm concerned about
> the "we didn't do much windows testing" line...

  Yup.

  I've just pushed some changes to the git "v2.1.x" branch.  See:

raddb/modules/mschap
        - allow_retry
        - retry_msg

raddb/eap.socn
        - send_error

  The default is no change.  See the documentation for how to test the
new features.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list