Windows 7 prompting several times

Morris, Andi amorris at cardiffmet.ac.uk
Tue Apr 3 17:46:03 CEST 2012


Apologies for keeping this going on the freeradius list when it is nothing to do with it, but has anyone seen this behaviour on anything but a Windows supplicant?  I'm trying to debug whether it's a supplicant or NAS issue.

As Alan has said, this is not a freeradius issue.  I see the same symptoms on another network that we have, which uses Microsoft IAS.  The only common ground is the OS and the Cisco authenticator (three different models: catalyst 2950, WLC4400 and WLC5500).  Microsoft have analysed trace logs I have given them and pointed the finger at the NAS, but as I only see this on Windows supplicants I'm not so sure.

If there is a more appropriate list to move this to then I will happily oblige to avoid the noise on the FR list.

Cheers,
Andi

-----Original Message-----
From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: 03 April 2012 16:28
To: FreeRadius users mailing list
Subject: Re: Windows 7 prompting several times

jaimeventura wrote:
> Now, if the user enters wrong credentials, windows prompts for
> credentials again with a message stating that the user credentials are
> invalid. The problem is that if the user now types the correct
> credential, the access will still be denied. After the third retry,
> windows gives up on asking and the user must click on the wireless
> network icon, to start the login process again.

  See the ChangeLog for 2.1.11:

        * Make retry and error message configurable in mschap.
          See raddb/modules/mschap
        * Allow EAP-MSCHAPv2 to send error message to client.  This
          change
          allows some clients to prompt the user for a new password.
          See raddb/eap.conf, mschapv2 section, "send_error".


> As Alan said, this seemed like windows was caching the bad credentials.
> But, the logs states a different message. After the first "access
> denied", each retry comes with a "rlm_eap_mschapv2:Unexpected response received".
> Im not saying there's a freeradius fault, it can be windows fault or
> just windows not following the RFC(wouldnt be the first time).

  I already said who to blame:  That failure message is being sent by the Windows machine.  FreeRADIUS just logs it.

  Don't blame the messenger.

> Aparently windows is sending a EAP-Response/MSCHAP_Failure where it
> should send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous
> sent EAP-Request/Failure, acording to RFC 'Appendix A - Examples')

  Yes.

> Or
> Should send a EAP-Response/MSCHAP_Response since it is actually
> retrying the authentication.

  Possibly.

> One possibility is that the new "send_error" option is missleading windows.
> According to  RFC 'Appendix A - Examples', a "retry" flag in order to
> tell windows to try again.

  FreeRADIUS sets the retry flag.

> Since my knowledge of the freeradius souce code is very basic, i
> couldnt figure out exactly if this is happening.

  You're wasting your time by looking at FreeRADIUS.

  The Windows box is prompting multiple times for the password.  This is because the *WINDOWS BOX* is prompting multiple times for the password.

  It has nothing to do with FreeRADIUS.  No amount of poking FreeRADIUS will fix it.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
________________________________

From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>

Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>



More information about the Freeradius-Users mailing list