Password change after expire with Cisco ASA to local FR user DB (text file) Not Working

Wed Feb 8 03:23:26 CET 2012

special thx to phil and alex for inital help testing FR with password change. With some help today, I managed to download, compile and install the latest copy of FR source code on centOS server. I cannot however get a password change prompt to appear on my calling-station device. any ideas?

I am running this in test lab with cisco ASA, which is sending MS-CHAPv2 request to FR server, as some debug output shows:

MS-CHAP-Challenge = 0x0d786b3e916d7e  (shortened)
MS-CHAP2-Response = 0x008ebeb5e7b5    (shortened)

My local user account in users file is configured with NT-LM Hash, and set to expire:

wrichmond       NT-Password :="64f12cddaa88057e06a81b54e73b949b", Expiration :="Dec 04 1994"

I can login fine when Expiration filed is commented out.

I have configured dictionary file for password expiration:

VALUE           Server-Config           Password-Expiration     30
VALUE           Server-Config           Password-Warning        5

When I send AUTH request, I am denied login, with an account password is expired message. I should get a prompt on my calling-station device to change password. The cisco ASA is configure with password-management:

tunnel-group TG_VPN_1 general-attributes
 default-group-policy GPOL_1
 password-management password-expire-in-days 5

On FR server, I get this debug output:

rad_recv: Access-Request packet from host 2.2.2.2 port 1025, id=28, length=217
        User-Name = "wrichmond"
        NAS-Port = 188416
        Called-Station-Id = "3.3.3.3"
        Calling-Station-Id = "1.1.1.1"
        NAS-Port-Type = Virtual
        Tunnel-Client-Endpoint:0 = "1.1.1.1"
        MS-CHAP-Challenge = XXXXXXXXXXXXXXXXXXXX
        MS-CHAP2-Response = XXXXXXXXXXXXXXXXXXXXXX
        NAS-IP-Address = 2.2.2.2
        Cisco-AVPair = "ip:source-ip=1.1.1.1"
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   group authorize {
(0)  - entering group authorize {...}
(0)   [preprocess] = ok
(0)   [chap] = noop
(0) mschap : Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
(0)   [mschap] = ok
(0)   [digest] = noop
(0) suffix : No '@' in User-Name = "wrichmond", looking up realm NULL
(0) suffix : No such realm "NULL"
(0)   [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0) files : users: Matched entry wrichmond at line 76
(0)   [files] = ok
(0) expiration : Checking Expiration time: 'ÐLá.04 1994'
(0) expiration : Account has expired
(0) expiration :        expand: Password Has Expired   -> Password Has Expired  
(0)   [expiration] = userlock
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   group REJECT {
(0)  - entering group REJECT {...}
(0) attr_filter.access_reject :         expand: %{User-Name} -> wrichmond
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0)   [eap] = noop
(0)    policy remove_reply_message_if_eap {
(0)   - entering policy remove_reply_message_if_eap {...}
(0)    ? if (reply:EAP-Message && reply:Reply-Message)
(0) ? Evaluating (reply:EAP-Message ) -> FALSE
(0) ? Skipping (reply:Reply-Message)
(0)    ? if (reply:EAP-Message && reply:Reply-Message) -> FALSE
(0)     else else {
(0)    - entering else else {...}
(0)     [noop] = noop
(0)    - else else returns noop
(0)   - policy remove_reply_message_if_eap returns noop
(0) Finished request 0.