MS-CHAP-V2 with no retry

John.Hayward at John.Hayward at
Fri Mar 4 20:33:29 CET 2011

See comments below - johnh...
> Phil Mayers wrote:
>> On 04/03/11 09:46, Alan DeKok wrote:
>> Isn't that what this code does in rlm_eap_mschapv2.c:
>  It's *supposed* to add the error message.  But so far as I can see,
> it's never called when the PW_MSCHAP_ERROR is used.
>> Perhaps I'm mis-reading it?
>  Nope.  It's just never used.
>  Anyways, due to that (and other) issues, I've attached a new patch.
> That *should* just re-use the MS-CHAP-Error string from the MS-CHAP
> module, without over-writing it with a fixed error.

Is this a proper statement of the summary of where we are:

1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
    a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
    a response sent back to the client but there was no message in the

2) The patch given resolves that problem - giving the message
    of the rlm_mschap.c module of E=691 R=1

3) It is possible to configure in radius.conf the message on failure by:
post-auth {
    Post-Auth-Type REJECT {
      if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
        update reply {
          MS-CHAP-Error := "E=691 R=0"

Let me know where I am wrong in these assertions.

I will try to test the patch in our environment and let the results be 
known next week.


More information about the Freeradius-Users mailing list