Password change after expire with Cisco ASA to local FR user DB (text file) Not Working

Alan DeKok aland at deployingradius.com
Wed Feb 8 09:24:09 CET 2012


Will Richmond wrote:
> special thx to phil and alex for inital help testing FR with password change. With some help today, I managed to download, compile and install the latest copy of FR source code on centOS server. I cannot however get a password change prompt to appear on my calling-station device. any ideas?

  Did you follow the instructions in doc/mschap.rst?  Did you read the
mods-available/mschap file, the "passchange" section?

> I am running this in test lab with cisco ASA, which is sending MS-CHAPv2 request to FR server, as some debug output shows:
> 
> MS-CHAP-Challenge = 0x0d786b3e916d7e  (shortened)
> MS-CHAP2-Response = 0x008ebeb5e7b5    (shortened)

  That doesn't matter.

> My local user account in users file is configured with NT-LM Hash, and set to expire:
> 
> wrichmond       NT-Password :="64f12cddaa88057e06a81b54e73b949b", Expiration :="Dec 04 1994"

  That is NOT what the documentation says to do.

> I can login fine when Expiration filed is commented out.

  Because the expiration attribute enforces ACCOUNT expiration.  Again,
this is documented.

> I have configured dictionary file for password expiration:
> 
> VALUE           Server-Config           Password-Expiration     30
> VALUE           Server-Config           Password-Warning        5

  Why the heck did you do that?  NOTHING in the documentation says to do
this.  You might as well have typed random words into the dictionaries
for all the good it will do.

  Follow the documentation.  Honestly, it isn't hard.

  Alan DeKok.



More information about the Freeradius-Users mailing list