MS-CHAP-V2 with no retry
John.Hayward at wheaton.edu
John.Hayward at wheaton.edu
Fri Mar 4 20:33:29 CET 2011
See comments below - johnh...
> Phil Mayers wrote:
>> On 04/03/11 09:46, Alan DeKok wrote:
>> Isn't that what this code does in rlm_eap_mschapv2.c:
>
> It's *supposed* to add the error message. But so far as I can see,
> it's never called when the PW_MSCHAP_ERROR is used.
>
>> Perhaps I'm mis-reading it?
>
> Nope. It's just never used.
>
> Anyways, due to that (and other) issues, I've attached a new patch.
> That *should* just re-use the MS-CHAP-Error string from the MS-CHAP
> module, without over-writing it with a fixed error.
Is this a proper statement of the summary of where we are:
1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
a response sent back to the client but there was no message in the
response.
2) The patch given resolves that problem - giving the message
of the rlm_mschap.c module of E=691 R=1
3) It is possible to configure in radius.conf the message on failure by:
====
post-auth {
Post-Auth-Type REJECT {
if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
update reply {
MS-CHAP-Error := "E=691 R=0"
}
}
}
}
====
Let me know where I am wrong in these assertions.
I will try to test the patch in our environment and let the results be
known next week.
johnh...
More information about the Freeradius-Users
mailing list