MS-CHAP-V2 with no retry
John Hayward
john.hayward at wheaton.edu
Tue Mar 8 22:26:46 CET 2011
Any idea of the time frame?
Should I spend my time looking at the code and proposing a patch?
johnh...
________________________________________
From: freeradius-users-bounces+john.hayward=wheaton.edu at lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton.edu at lists.freeradius.org] on behalf of Alan DeKok [aland at deployingradius.com]
Sent: Saturday, March 05, 2011 12:23 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
John.Hayward at wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
> a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
> a response sent back to the client but there was no message in the
> response.
It's more complicated. The server would send EAP-Failure, and nothing
else.
> 2) The patch given resolves that problem - giving the message
> of the rlm_mschap.c module of E=691 R=1
On closer inspection, the patch doesn't resolve anything. It still
sends an EAP-Failure. It should instead send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the
client has ACKed that, it should *then* send EAP-Failure.
i.e. fixing it is likely a fair bit more work.
> 3) It is possible to configure in radius.conf the message on failure by:
No. That sends back an MS-CHAP-Error. The code has to package that
MS-CHAP-Error into an EAP sub-type, and send it back to the client in an
*additional* request/response round trip, before finally sending
EAP-Failure.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list