Password-Retry attribute
Phil Mayers
p.mayers at imperial.ac.uk
Thu Feb 16 10:49:49 CET 2012
On 02/16/2012 09:35 AM, Morris, Andi wrote:
> Hi all,
>
> I’m trying to configure my freeradius server to prompt the user to
> retype their credentials if they mistype the username or password so
> that they can be authenticated via dot1x.
Does your NAS support this attribute? You are sending it just fine:
>
> Sending Access-Reject of id 170 to 10.1.1.21 port 1645
> Password-Retry := 3
> EAP-Message = 0x04090004
> Message-Authenticator = 0x00000000000000000000000000000000
>
> Waking up in 2.9 seconds.
>
> Is there somewhere else I need to enable this attribute? Does it need
> adding to the dictionary on the client?
What do you mean by "client" here?
"Client" is normally used to refer to the 802.1x supplicant (e.g. PC,
laptop, mobile device, etc.). These devices don't speak radius, so won't
see any attributes you send.
The switch/access point are usually referred to as the NAS. The NAS does
speak radius, but must support any attributes you want to send it.
I've never seen this attribute before, and don't quite know what you
expect it to do. RFC 2869 indicates it is intended to specify "how many
authentication attempts a client is permitted before disconnection"
which is not really in the spirit of RADIUS; Access-Reject MEANS
"disconnect".
tl;dr - I don't think this attribute will work for you.
802.1x NAS devices usually have various retry / lockout counters you can
configure via the GUI/CLI. These are probably what you want.
More information about the Freeradius-Users
mailing list