MS-CHAP-V2 with no retry
John.Hayward at wheaton.edu
John.Hayward at wheaton.edu
Wed Apr 13 23:19:26 CEST 2011
First - thanks to the free radius group for all the work on this over the
weekend.
There have been some fixes and extensions to my original patches and I
saw a commit on Friday before some fixes and extensions were in place.
Can someone point me to exactly what I need to "git" to get the current
version of freeradius with the patches so I can do some testing at our
site?
TIA.
johnh...
On Mon, 11 Apr 2011, Phil Mayers wrote:
> Date: Mon, 11 Apr 2011 08:45:13
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Reply-To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: MS-CHAP-V2 with no retry
>
> On 11/04/11 11:22, Phil Mayers wrote:
>> On 10/04/11 15:41, James J J Hooper wrote:
>>
>>>
>>> This C=<random> needs to be saved and eventually make it's way in to
>>> data->challenge so that the line lower down:
>>> memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
>>
>> It's actually a bit more complex; the new challenge is being generated
>> inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
>> needs to know it, so that it can add it to the fake request which it
>> then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
>>
>> This would also get us part of the way there to password change via
>> mschap (Samba currently lacks the specific API call to do this, with the
>> values available in an MSCHAP CPW packet, but it might be possible to
>> compile a C helper which does it...)
>>
>
> The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work
> for me.
>
> It needs a bit of work, specifically there should be a:
>
> num_retries
>
> ...parameter, and the EAP module should keep track of retry attempt counts,
> and stop when either:
>
> try_number > num_retries
>
> or
>
> R=0 in the MS-CHAP-Error attribute
>
> Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it
> should go into 2.1.11 - there's probably not enough testing time.
>
> It works for a Windows XP SP3 client here, as well as with a jury-rigged
> eapol_test/wpa_cli combo.
>
> I'll spin up an SSID and give it a try with real clients later today.
>
> Of note: this gets us nearer to MS-CHAP change-password functionality; I've
> looked into this a couple of times recently and Samba has almost all the bits
> required to make it work... However, that would require some infrastructure
> for the server to override the MS-CHAP error code, currently hard-coded at
> 691 - 648 is "password expired" and would need to be set, either by parsing
> the output of ntlm_auth (for those that use it) or from some SQL/database
> attribute (for those using Cleartext/NT-Password)
>
More information about the Freeradius-Users
mailing list