MS-CHAP-V2 with no retry

John.Hayward at wheaton.edu John.Hayward at wheaton.edu
Thu Apr 21 17:59:45 CEST 2011


Just a brief update.

In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as 
expected with this retry patch - user is presented with a password 
dialog box and the connection is not aborted - user only needs to enter 
the correct password to be connected and no "contact your network 
administrator" or other messages occur.

Our support people are thrilled.

johnh...


  On Thu, 21 Apr 2011, John.Hayward at wheaton.edu wrote:

> Date: Thu, 21 Apr 2011 10:03:30
> From: John.Hayward at wheaton.edu
> Reply-To: FreeRadius users mailing list
>     <freeradius-users at lists.freeradius.org>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: MS-CHAP-V2 with no retry
> 
>
> Thanks again for your work on this facility.
>
> I built and installed with the new patches.
> Unfortunately things did not quite work - however with a small change I could 
> get the retry to work properly on a windows7 machine.
>
> The problem is that when we do a retry in addition to setting the challenge 
> value we also need to change the data->code to challenge rather than failure. 
> When the response comes back we can correctly deal with it.
>
> ==== original patch -- with suggested changes **** ====
> 678 -    pairmove2(&response, &handler->request->reply->vps,
> 679 -        PW_MSCHAP_ERROR);
> 678 +    pairmove2(&response, &handler->request->reply->vps,
> 679 +        PW_MSCHAP_ERROR);
> **** add failure code by default
> 	 data->code = PW_EAP_MSCHAPV2_FAILURE;
> ****
> 680 +    if (response) {
> 681 +      int n,err,retry;
> 682 +      char buf[34];
> 683 + 684 +      DEBUG2("  MSCHAP-Error: %s", response->vp_strvalue);
> 685 +
> 686 +      /*
> 687 +       * parse the new challenge out of the MS-CHAP-Error, so if the 
> client
> 688 +       * issues a re-try, we'll know the challenge value they used
> 689 +       */
> 690 +      n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, 
> &retry, &buf);
> 691 +      if (n==3) {
> 692 +        DEBUG2("  Found new challenge from MS-CHAP-Error: err=%d 
> retry=%d challenge=%s", err, retry, buf);
> 693 +        fr_hex2bin(buf, data->challenge, 16);
> **** Set code to challenge if we find a challenge
> 	     data->code = PW_EAP_MSCHAPV2_CHALLENGE;
> ****
> 694 +      } else {
> 695 +        DEBUG2("  Could not parse new challenge from MS-CHAP-Error: %d", 
> n);
> 696 +      }
> 697 +    }
> 680
> **** remove this code since set above
> 698 	data->code = PW_EAP_MSCHAPV2_FAILURE;
> ****
> ====   END OF original patch ===
>
> johnh...
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>



More information about the Freeradius-Users mailing list