MS-CHAP-V2 with no retry
Phil Mayers
p.mayers at imperial.ac.uk
Fri Mar 4 10:38:46 CET 2011
> I am asking that it be configurable as to how many retries are allowed
> (eg how many E=691 R=1) before a no retries failed authentication
> message (E=691 R=0) is sent.
>
Ah gotcha. Thanks for the detail!
As Alan has suggested in his other email, you can change the
"MS-CHAP-Error" in the post-auth section:
post-auth {
Post-Auth-Type REJECT {
if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
update reply {
MS-CHAP-Error := "E=691 R=0"
}
}
}
}
> If a no retries failed authentication message (E=691 R=0) is sent I
> believe that that the apple device to re-prompt the user to update the
> password.
...but I'm not sure this will work.
The reason being, if you're using wireless you're probably using
PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner -
that is, it is *not* raw mschap inside the tunnel.
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
...ignoring any errors the "mschap" module might have generated.
So in theory at least, FreeRadius is already doing what you want for
EAP-MSCHAP, and changing it won't help.
More information about the Freeradius-Users
mailing list