MS-CHAP-V2 with no retry
John.Hayward at wheaton.edu
John.Hayward at wheaton.edu
Fri Mar 4 04:54:16 CET 2011
On Thu, 3 Mar 2011, Phil Mayers wrote:
> Date: Thu, 3 Mar 2011 17:09:42
> From: Phil Mayers <p.mayers at imperial.ac.uk>
> Reply-To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> To: freeradius-users at lists.freeradius.org
> Subject: Re: MS-CHAP-V2 with no retry
>> It has been reported that if the Microsoft NPS server is configured
>> for no retries (E=691 R=0) that mac/iphones/ipads then act like
>> windows xp machines in that they report to the user that the password
>> needs attention.
>> Would it be possible to modify rlm_mschap.c to be conigured as to how
>> many retries were allowed before returning authentication failure
>> with no retry?
> Obviously it's possible. It's not clear it would help though; are you using
> plain MS-CHAP or EAP-MSCHAP?
> Can you explain what you're trying to accomplish; I didn't really understand
> your email in full (not sure what the stuff about Macs was all about; not
> sure whether "change password" means "user tries again with a different
> password string" or "user executes the change-password protocol because their
> old one has expired)
We have most things (portal authentication, blackboard, wireless) using
freeradius with Novell NDSLdap for authentication. We also have a
password change policy which requires user periodically change their
password. They can most easily do so by going to a website set up for
Here is the sequence of events which leads to a heavy support load.
1) User initially set up their wireless connection using a current
2) The device caches the password.
3) The user operates for a long period of time without issue.
4) The user is notified their password will expire in a short time in the
future by e-mail - telling them to change their password at the
password change web site.
5) The user goes to the password change web site and changes their
6) After the password change has occurred - When the user attempts to
connect to the wireless network:
a) for wireless Windows running xp they see a message indicating they
need to re-enter their password for the computer (the cashed old
password no longer works) and the user enters the current password
and life goes on.
b) for wireless apple devices (os 10.6, iphones, ipads) they get no such
message the device just keeps trying to authenticate and failing without
prompting the user - after a certain number of failures the Novell
NDS Ldap locks the user because intruder lock out facility.
Now the user cannot login to systems which use uses NDSLdap
authentication. User shows up at support center confused.
It is known that the apple supplicant fails to increment the ID on the
retry which is required by the MS-CHAP protocol. At least one person
report that if the radius server responds with a failed authentication error
message (E=691 R=0) - which indicates the client should not retry - causes the
apple device to prompt the user for a new password. This is the same behavior
which windows xp users see.
I am not asking that freeradius server be used to change the password.
I am asking that it be configurable as to how many retries are allowed (eg
how many E=691 R=1) before a no retries failed authentication message
(E=691 R=0) is sent.
If a no retries failed authentication message (E=691 R=0) is sent I
believe that that the apple device to re-prompt the user to update the password.
> List info/subscribe/unsubscribe? See
More information about the Freeradius-Users