Hi Alan~ Thank you for the reply; your response helps saves me some time.
> 3) A long term solution; I don't believe password expirations are that >uncommon > anymore with all the security requirements (HIPPA, PCI, etc etc) that depend > upon this. >>>> Password change is not part of RADIUS. I am new to radius, and although it is now clear that "expired passwords == user is blocked until they can authenticate from some other computer" ... I'm just surprised. I guess an alternate method is to implement login scripts to check if a users password expiration is approaching, and if so... prompt the user to update it before it expires (via, email, popup, whatever). Is that what the rest of radius users do / a best practice? Thanks for all your help... all and all, freeradius is awesome. Thanks! ----- Original Message ---- From: Alan DeKok <[email protected]> To: FreeRadius users mailing list <[email protected]> Sent: Thu, August 12, 2010 2:52:43 PM Subject: Re: Password Policy - Expired Password - mschap Theparanoidone Theparanoidone wrote: > We have successfully implemented a test patch. This test patch moves away > from > > implementing mschapv2 in the client connection and specifying PAP. It > changes > the opendirectory response, and only requires two lines of code to change in > rlm_opendirectory.c. I include the updated block of code here: You are welcome to maintain this patch locally. i.e. on your system. "git" makes this easy. However, it cannot be added to the server. > Long term to make a patch like this useful... perhaps a freeradius >configuration > > option called "allowExpiredPasswordsAndPasswordResets = yes" could be > implemented.... (unless there is an easier way to do this in > Post-Auth-Reject.. > > see my request above). Check the password by hand, using a shell script. > I am still interested in: > > 1) An example Auth-Post-Reject example (basic code block and where to place > it > as my attempts have failed) You can't turn a reject into an accept. > 2) If anyone has any additional information about EAPOL Logoff packets being > transmitted on client password reset prompts, I'd be interested in hearing >about > > it. No one else does password changes that way. > 3) A long term solution; I don't believe password expirations are that > uncommon > > anymore with all the security requirements (HIPPA, PCI, etc etc) that depend > upon this. Password change is not part of RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
