MS-CHAP-V2 allow_retry on ldap authentification

Daniel Ekman daniel at 33k.org
Mon Oct 22 10:13:42 CEST 2012


Hi list,

I have a fairly large user base doing WPA2-enterprise from various
OS'es  and smartphones, our FreeRADIUS is running v.2.1.12 and is
authenticating via LDAP and things are running pretty well, only snag
I have currently with this is when people change their password. I
realize this has been discussed before because I have spent a lot of
time reading through this list and other sources.

So current setup is OpenLDAP in a central location, a slave is set up
remote with FreeRADIUS on top of that to allow for WPA2, this also
means there is no correlation between user accounts on computers and
domains so when people change their LDAP password their WPA2
username/password remain the same and the user needs to change it
manually.

in the latest version allow_retry and retry_msg in the mschap module
was implemented and this works great on my mac and linux userbase,
however it does not work for the windows users, the FreeRADIUS server
is still sending the same things to the user but for some reason there
is no popup telling the user to change their password so here is my
actual question, is this supposed to work? should the windows users
also get the popup saying "please change password"?

judging from what some threads say like this for example
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html
seems to indicate there are problems but it also sounds like there is
a solution.

I have also tried adding the send_error setting in eap.conf but that
only broke things like I read somewhere it would.


Thanks for reading :)

Daniel


More information about the Freeradius-Users mailing list