MS-CHAP-V2 allow_retry on ldap authentification

Daniel Ekman daniel at 33k.org
Tue Oct 23 11:52:21 CEST 2012 

Thanks for replying and sorry if I'm being vague, I'll try and be more specific.

On Tue, Oct 23, 2012 at 10:59 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 10/22/2012 09:13 AM, Daniel Ekman wrote:
>>
>> Hi list,
>>
>> I have a fairly large user base doing WPA2-enterprise from various
>> OS'es  and smartphones, our FreeRADIUS is running v.2.1.12 and is
>> authenticating via LDAP and things are running pretty well, only snag
>> I have currently with this is when people change their password. I
>
>
> Change their password where? Elsewhere, right? So, you want to prompt the
> clients to enter a new password, because the user has changed passwords on
> the server.
>

Yes, clients change their password on the server via a custom web
interface on top of the LDAP and this then obviously do not get
automatically updated on the wireless settings on the clients
computer.

>
>> in the latest version allow_retry and retry_msg in the mschap module
>> was implemented and this works great on my mac and linux userbase,
>> however it does not work for the windows users, the FreeRADIUS server
>> is still sending the same things to the user but for some reason there
>> is no popup telling the user to change their password so here is my
>> actual question, is this supposed to work? should the windows users
>> also get the popup saying "please change password"?
>
>
> Your terminiology is confusing. Do you mean "change password" or "re-enter
> your password". Because the two are very, very different.

Re-enter the password in the wireless setup if they do not get authenticated.

>
> To be honest, your email is sort of vague and specific at the same time, if
> that makes any sense - there's some LDAP, some different set of accounts,
> something else...
>
> I've got no idea if Windows can even behave the way you want
>
>
>>
>> judging from what some threads say like this for example
>>
>> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg68678.html
>
>
> That message predates major changes to the PEAP and EAP-MSCHAPv2 modules to
> support password *change* (see why I said it was confusing?). So I'd be
> cautious about reading too much into it.
>
>
>> seems to indicate there are problems but it also sounds like there is
>> a solution.
>>
>> I have also tried adding the send_error setting in eap.conf but that
>> only broke things like I read somewhere it would.
>
>
> ...vague much?

the send_error was added to version 2.1.11 as a bug fix "Allow
EAP-MSCHAPv2 to send error message to client. This change allows some
clients to prompt the user for a new password. See raddb/eap.conf,
mschapv2 section, "send_error"."
This was said in earlier version to solve issues for some clients but
*may* also cause other clients to stop working. The setting is also
not included in version 2.1.12 eap.conf.

>
> Seriously: "radiusd -X"

radiusd -X gives the same output to mac/windows/linux users when they
need to re-enter their password but only the mac/linux users get a
prompt for it.

>
> If I have time today, I'll try to resurrect our "for comparison" NPS server
> and see what Microsoft do. It's possible you just can't prompt Windows in
> the way you want.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list