MS-CHAP-V2 with no retry

John.Hayward at John.Hayward at
Fri Mar 4 04:54:16 CET 2011

On Thu, 3 Mar 2011, Phil Mayers wrote:

> Date: Thu, 3 Mar 2011 17:09:42
> From: Phil Mayers <p.mayers at>
> Reply-To: FreeRadius users mailing list
>     <freeradius-users at>
> To: freeradius-users at
> Subject: Re: MS-CHAP-V2 with no retry
>> It has been reported that if the Microsoft NPS server is configured
>> for no retries (E=691 R=0) that mac/iphones/ipads then act like
>> windows xp machines in that they report to the user that the password
>> needs attention.
>> Would it be possible to modify rlm_mschap.c to be conigured as to how
>> many retries were allowed before returning authentication failure
>> with no retry?
> Obviously it's possible. It's not clear it would help though; are you using 
> plain MS-CHAP or EAP-MSCHAP?
> Can you explain what you're trying to accomplish; I didn't really understand 
> your email in full (not sure what the stuff about Macs was all about; not 
> sure whether "change password" means "user tries again with a different 
> password string" or "user executes the change-password protocol because their 
> old one has expired)

We have most things (portal authentication, blackboard, wireless) using 
freeradius with Novell NDSLdap for authentication.  We also have a 
password change policy which requires user periodically change their 
password.  They can most easily do so by going to a website set up for 

Here is the sequence of events which leads to a heavy support load.

1) User initially set up their wireless connection using a current 
2) The device caches the password.
3) The user operates for a long period of time without issue.
4) The user is notified their password will expire in a short time in the
    future by e-mail - telling them to change their password at the
    password change web site.
5) The user goes to the password change web site and changes their
6) After the password change has occurred - When the user attempts to
    connect to the wireless network:
    a) for wireless Windows running xp they see a message indicating they
       need to re-enter their password for the computer (the cashed old
       password no longer works) and the user enters the current password
       and life goes on.
    b) for wireless apple devices (os 10.6, iphones, ipads) they get no such
       message  the device just keeps trying to authenticate and failing without
       prompting the user - after a certain number of failures the Novell
       NDS Ldap locks the user because intruder lock out facility.
       Now the user cannot login to systems which use uses NDSLdap
       authentication.  User shows up at support center confused.

It is known that the apple supplicant fails to increment the ID on the 
retry which is required by the MS-CHAP protocol.  At least one person 
report that if the radius server responds with a failed authentication error
message (E=691 R=0) - which indicates the client should not retry - causes the
apple device to prompt the user for a new password.  This is the same behavior
which windows xp users see.

I am not asking that freeradius server be used to change the password.

I am asking that it be configurable as to how many retries are allowed (eg 
how many E=691 R=1) before a no retries failed authentication message 
(E=691 R=0) is sent.

If a no retries failed authentication message (E=691 R=0) is sent I 
believe that that the apple device to re-prompt the user to update the password.


  > -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list