how to limit the repeating ldap lookups
p.mayers at imperial.ac.uk
Wed Aug 28 17:22:36 CEST 2013
On 28/08/13 15:46, Arran Cudbard-Bell wrote:
> OK. Just wondering if you could really get it down to a single
> lookup, IIRC you needed the 'known good' NT-Password data for a
> couple of rounds of MSCHAPv2?
Nope, just one. The MSCHAP challenge & response arrive at you, you
validate them and in turn generate the response2.
You might be thinking of the first pass in EAP-MSCHAP, where the client
sends EAP-identity and the server sends EAP-MSCHAP challenge, but that's
stateless - just a random number. Likewise, the 3rd pass MSCHAP
success/fail packet is stateless.
More information about the Freeradius-Users