Password Change Prompt on NAS
Alan DeKok
aland at deployingradius.com
Sun Jan 24 14:18:25 CET 2021
On Jan 22, 2021, at 8:46 PM, Feagles, Arthur B III CTR (USA) <arthur.feagles1.ctr at navy.mil> wrote:
>
> Thanks to Alan’s guide “Configuring Authentication with Active Directory",
> users are successfully authenticating their network device logons
> (Cisco/Juniper) via AD.
That's good.
> • What: I would like password expiration prompts be made available on the
> network devices
RADIUS doesn't support password changes. MS-CHAPv2 does, but that's not *necessarily* the same thing.
Windows systems support password changes over PEAP. I suspect that the NAS doesn't implement this.
> • Why: To use the burden of changing expired passwords
> • what you expect the server to do: pass the error code 648
> ERROR_PASSWD_EXPIRED to the NAS, and by some magic I don't understand prompt
> the user to change their password
The NAS has to support the MS-CHAPv2 password change mechanism.
> • what the server does instead (i.e. debug output): debug below; NAS does
> not prompt for password change, but instead repeats password: prompt.
So the NAS doesn't support the MS-CHAPv2 password change mechanism.
There's not much more you can do.
> Thanks
> -Art-
>
> 1 FreeRADIUS Version 3.0.13
> 2 Copyright (C) 1999-2017 The FreeRADIUS server project and
> contributors
> 3 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> 4 PARTICULAR PURPOSE
Just... why line numbers? :(
Alan DeKok.
More information about the Freeradius-Users
mailing list