MS-CHAP-V2 with no retry
Alan DeKok
aland at deployingradius.com
Sat Mar 5 07:23:54 CET 2011
John.Hayward at wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
> a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
> a response sent back to the client but there was no message in the
> response.
It's more complicated. The server would send EAP-Failure, and nothing
else.
> 2) The patch given resolves that problem - giving the message
> of the rlm_mschap.c module of E=691 R=1
On closer inspection, the patch doesn't resolve anything. It still
sends an EAP-Failure. It should instead send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the
client has ACKed that, it should *then* send EAP-Failure.
i.e. fixing it is likely a fair bit more work.
> 3) It is possible to configure in radius.conf the message on failure by:
No. That sends back an MS-CHAP-Error. The code has to package that
MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
*additional* request/response round trip, before finally sending
EAP-Failure.
Alan DeKok.
More information about the Freeradius-Users
mailing list