Windows 7 prompting several times

Matthew Newton mcn4 at leicester.ac.uk
Wed Apr 11 17:40:59 CEST 2012


Hi Andi,

On Wed, Apr 11, 2012 at 02:52:15PM +0000, Morris, Andi wrote:
> Just to update anyone else with this issue, we have found the
> cause of the problem on our network was indeed the Cisco config.  

Thought that would be the case (that, or Windows). Across their
product range, Cisco do often seem to choose the most random
defaults.

> On our wireless controller we used the command below and the
> re-request no longer appears.  I'm still playing with the
> timeouts for the catalyst switches for the correct timeout for
> these, but at least we know definitively where the problem lay.
> 
> config advanced eap identity-request-timeout 15

Apologies - I completely forgot about that earlier. We did similar
last year to fix the problem, and I only remembered the client
exclusion thing, not the EAP timers. We've got:

config advanced eap identity-request-retries 12
config advanced eap identity-request-timeout 5
config wps client-exclusion 802.1x-auth disable

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
is the Cisco page ("Manipulating EAP Timers") that tells you to
change their defaults to something else...

My guess (and it _is_ only a guess) is that whereas most clients
ask you for the username/password, then try and connect, Windows
tries to connect, autodetects that you need a user/password, and
then keeps the EAP waiting while you type. If you don't type fast
enough then EAP times out before Windows sends the auth, and then
the process starts again, and you get prompted for the password
again because it's been told not to cache auth (so it won't cache,
even for a few seconds). This makes some sort of logical sense,
but is a bit crazy from a user persepective. You then hit the
problem that the user is a slow typer, and they hit the 802.1x
authentication limit and get their client excluded for two minutes
or so.

We reportedly had a user sit in the helpdesk trying to log in for
two hours. No comments about who would keep trying for that long
(and of course the problem was self-replicating; the more they
tried, the more they were excluded), but the complaints have
stopped since the above three commands.

Throughout all, FreeRADIUS has, of course, been happily performing
fine... :)

Cheers,

Matthew


> -----Original Message-----
> From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Morris, Andi
> Sent: 03 April 2012 16:46
> To: FreeRadius users mailing list
> Subject: RE: Windows 7 prompting several times
> 
> Apologies for keeping this going on the freeradius list when it is nothing to do with it, but has anyone seen this behaviour on anything but a Windows supplicant?  I'm trying to debug whether it's a supplicant or NAS issue.
> 
> As Alan has said, this is not a freeradius issue.  I see the same symptoms on another network that we have, which uses Microsoft IAS.  The only common ground is the OS and the Cisco authenticator (three different models: catalyst 2950, WLC4400 and WLC5500).  Microsoft have analysed trace logs I have given them and pointed the finger at the NAS, but as I only see this on Windows supplicants I'm not so sure.
> 
> If there is a more appropriate list to move this to then I will happily oblige to avoid the noise on the FR list.
> 
> Cheers,
> Andi
> 
> -----Original Message-----
> From: freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac.uk at lists.freeradius.org] On Behalf Of Alan DeKok
> Sent: 03 April 2012 16:28
> To: FreeRadius users mailing list
> Subject: Re: Windows 7 prompting several times
> 
> jaimeventura wrote:
> > Now, if the user enters wrong credentials, windows prompts for 
> > credentials again with a message stating that the user credentials are 
> > invalid. The problem is that if the user now types the correct 
> > credential, the access will still be denied. After the third retry, 
> > windows gives up on asking and the user must click on the wireless 
> > network icon, to start the login process again.
> 
>   See the ChangeLog for 2.1.11:
> 
>         * Make retry and error message configurable in mschap.
>           See raddb/modules/mschap
>         * Allow EAP-MSCHAPv2 to send error message to client.  This
>           change
>           allows some clients to prompt the user for a new password.
>           See raddb/eap.conf, mschapv2 section, "send_error".
> 
> 
> > As Alan said, this seemed like windows was caching the bad credentials.
> > But, the logs states a different message. After the first "access 
> > denied", each retry comes with a "rlm_eap_mschapv2:Unexpected response received".
> > Im not saying there's a freeradius fault, it can be windows fault or 
> > just windows not following the RFC(wouldnt be the first time).
> 
>   I already said who to blame:  That failure message is being sent by the Windows machine.  FreeRADIUS just logs it.
> 
>   Don't blame the messenger.
> 
> > Aparently windows is sending a EAP-Response/MSCHAP_Failure where it 
> > should send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous 
> > sent EAP-Request/Failure, acording to RFC 'Appendix A - Examples')
> 
>   Yes.
> 
> > Or
> > Should send a EAP-Response/MSCHAP_Response since it is actually 
> > retrying the authentication.
> 
>   Possibly.
> 
> > One possibility is that the new "send_error" option is missleading windows.
> > According to  RFC 'Appendix A - Examples', a "retry" flag in order to 
> > tell windows to try again.
> 
>   FreeRADIUS sets the retry flag.
> 
> > Since my knowledge of the freeradius souce code is very basic, i 
> > couldnt figure out exactly if this is happening.
> 
>   You're wasting your time by looking at FreeRADIUS.
> 
>   The Windows box is prompting multiple times for the password.  This is because the *WINDOWS BOX* is prompting multiple times for the password.
> 
>   It has nothing to do with FreeRADIUS.  No amount of poking FreeRADIUS will fix it.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> ________________________________
> 
> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
> 
> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list