Password Change Prompt on NAS

Alan DeKok aland at
Sun Jan 24 14:18:25 CET 2021

On Jan 22, 2021, at 8:46 PM, Feagles, Arthur B III CTR (USA) <arthur.feagles1.ctr at> wrote:
> Thanks to Alan’s guide “Configuring Authentication with Active Directory",
> users are successfully authenticating their network device logons
> (Cisco/Juniper) via AD.

  That's good.

> • What: I would like password expiration prompts be made available on the
> network devices

  RADIUS doesn't support password changes.  MS-CHAPv2 does, but that's not *necessarily* the same thing.

  Windows systems support password changes over PEAP.  I suspect that the NAS doesn't implement this.

> • Why: To use the burden of changing expired passwords
> • what you expect the server to do: pass the error code 648
> ERROR_PASSWD_EXPIRED to the NAS, and by some magic I don't understand prompt
> the user to change their password

  The NAS has to support the MS-CHAPv2 password change mechanism.

> • what the server does instead (i.e. debug output): debug below; NAS does
> not prompt for password change, but instead repeats password: prompt.

  So the NAS doesn't support the MS-CHAPv2 password change mechanism.

  There's not much more you can do.

> Thanks
> -Art-
>     1	FreeRADIUS Version 3.0.13
>     2	Copyright (C) 1999-2017 The FreeRADIUS server project and
> contributors
>     3	There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

  Just... why line numbers?  :(

  Alan DeKok.

More information about the Freeradius-Users mailing list