MS-CHAP-V2 with no retry

John Hayward john.hayward at wheaton.edu
Tue Mar 8 22:26:46 CET 2011


Any idea of the time frame?
Should I spend my time looking at the code and proposing a patch?
johnh...
________________________________________
From: freeradius-users-bounces+john.hayward=wheaton.edu at lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton.edu at lists.freeradius.org] on behalf of Alan DeKok [aland at deployingradius.com]
Sent: Saturday, March 05, 2011 12:23 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry

John.Hayward at wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
>    a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
>    a response sent back to the client but there was no message in the
>    response.

  It's more complicated.  The server would send EAP-Failure, and nothing
else.

> 2) The patch given resolves that problem - giving the message
>    of the rlm_mschap.c module of E=691 R=1

  On closer inspection, the patch doesn't resolve anything.  It still
sends an EAP-Failure.  It should instead send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code.  After the
client has ACKed that, it should *then* send EAP-Failure.

  i.e. fixing it is likely a fair bit more work.

> 3) It is possible to configure in radius.conf the message on failure by:

  No.  That sends back an MS-CHAP-Error.  The code has to package that
MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
*additional* request/response round trip, before finally sending
EAP-Failure.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list