MS-CHAP-V2 with no retry

James J J Hooper jjj.hooper at bristol.ac.uk
Sun Apr 10 13:57:45 CEST 2011 

On 10/04/2011 12:39, James J J Hooper wrote:
> On 10/04/2011 12:16, James J J Hooper wrote:
>> On 10/04/2011 07:03, Alan DeKok wrote:
>>> James J J Hooper wrote:
>>>> I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
>>>> Failure packet, should be an EAP *request* (currently it's EAP failure)??
>>>
>>> Yes, thanks.
>>
>>
>> Also, args to pairmove2 are wrong way around, as attached.
>>
>
>
> After that last change (p4.txt.gz), I think it's now doing the right thing:
>
> * wpa_supplicant output matches Phil's (against W2k8 NPS), with the
> exception that M=... is always present.
>
> * With allow_retry = no, XP pop's up the usual 'enter credentials...'
> bubble, and box.
>
> * With allow_retry = yes, XP pops a "click to process credentials" bubble,
> then a "type your password again" box:
> http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png


...Although, when you correct the password in the 'allow_retry = yes" 
popup, I don't think FR has got the bit to handle that yet:

Found Auth-Type = eduroamalieneap-bris-sha-ca
# Executing group from file 
/usr/local/etc/raddb/sites-enabled/eduroamalien-inner
+- entering group eduroamalieneap-bris-sha-ca {...}
[eduroamalieneap-bris-sha-ca] Request found, released from the list
[eduroamalieneap-bris-sha-ca] EAP/mschapv2
[eduroamalieneap-bris-sha-ca] processing type mschapv2
rlm_eap_mschapv2: Unexpected response received                     << ***
[eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2
[eduroamalieneap-bris-sha-ca] Failed in EAP select
++[eduroamalieneap-bris-sha-ca] returns invalid
Failed to authenticate the user.
Login incorrect: [jh1761-s at bris.ac.uk] (from client JamesJJ port 256 cli 
00-1a-4d-35-b0-5a via TLS tunnel)
} # server eduroamalien-inner
[peap] Got tunneled reply code 3
         EAP-Message = 0x040c0004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
         EAP-Message = 0x040c0004
         Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE

-James

More information about the Freeradius-Users mailing list