MS-CHAP-V2 with no retry

Phil Mayers p.mayers at
Fri Mar 4 10:38:46 CET 2011

> I am asking that it be configurable as to how many retries are allowed
> (eg how many E=691 R=1) before a no retries failed authentication
> message (E=691 R=0) is sent.

Ah gotcha. Thanks for the detail!

As Alan has suggested in his other email, you can change the 
"MS-CHAP-Error" in the post-auth section:

post-auth {
   Post-Auth-Type REJECT {
     if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
       update reply {
         MS-CHAP-Error := "E=691 R=0"

> If a no retries failed authentication message (E=691 R=0) is sent I
> believe that that the apple device to re-prompt the user to update the
> password.

...but I'm not sure this will work.

The reason being, if you're using wireless you're probably using 
PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner - 
that is, it is *not* raw mschap inside the tunnel.

The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:

E=691 R=0

...ignoring any errors the "mschap" module might have generated.

So in theory at least, FreeRadius is already doing what you want for 
EAP-MSCHAP, and changing it won't help.

More information about the Freeradius-Users mailing list