MS-CHAP-V2 with no retry

John.Hayward at wheaton.edu John.Hayward at wheaton.edu
Wed Apr 13 23:19:26 CEST 2011


First - thanks to the free radius group for all the work on this over the 
weekend.

There have been some fixes and extensions to my original patches and I 
saw a commit on Friday before some fixes and extensions were in place.

Can someone point me to exactly what I need to "git" to get the current 
version of freeradius with the patches so I can do some testing at our 
site?

TIA.
johnh...

On Mon, 11 Apr 2011, Phil Mayers wrote:

> Date: Mon, 11 Apr 2011 08:45:13
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Reply-To: FreeRadius users mailing list
>     <freeradius-users at lists.freeradius.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: MS-CHAP-V2 with no retry
> 
> On 11/04/11 11:22, Phil Mayers wrote:
>> On 10/04/11 15:41, James J J Hooper wrote:
>> 
>>> 
>>> This C=<random> needs to be saved and eventually make it's way in to
>>> data->challenge so that the line lower down:
>>> memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
>> 
>> It's actually a bit more complex; the new challenge is being generated
>> inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
>> needs to know it, so that it can add it to the fake request which it
>> then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
>> 
>> This would also get us part of the way there to password change via
>> mschap (Samba currently lacks the specific API call to do this, with the
>> values available in an MSCHAP CPW packet, but it might be possible to
>> compile a C helper which does it...)
>> 
>
> The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work 
> for me.
>
> It needs a bit of work, specifically there should be a:
>
> num_retries
>
> ...parameter, and the EAP module should keep track of retry attempt counts, 
> and stop when either:
>
> try_number > num_retries
>
> or
>
> R=0 in the MS-CHAP-Error attribute
>
> Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it 
> should go into 2.1.11 - there's probably not enough testing time.
>
> It works for a Windows XP SP3 client here, as well as with a jury-rigged 
> eapol_test/wpa_cli combo.
>
> I'll spin up an SSID and give it a try with real clients later today.
>
> Of note: this gets us nearer to MS-CHAP change-password functionality; I've 
> looked into this a couple of times recently and Samba has almost all the bits 
> required to make it work... However, that would require some infrastructure 
> for the server to override the MS-CHAP error code, currently hard-coded at 
> 691 - 648 is "password expired" and would need to be set, either by parsing 
> the output of ntlm_auth (for those that use it) or from some SQL/database 
> attribute (for those using Cleartext/NT-Password)
>



More information about the Freeradius-Users mailing list