According to RFC2759 section 9.1.3 - 9.1.5 an authentication failure can return (E=691 R=0) --- failure no retry or (E=691 R=1) failure, disable short timeout and allow a retry with ++ID.
freeradius apparently only returns (E=691 R=1) in three different places in src/modules/rlm_mschap/rlm_mschap.c apple wireless clients have a known bug Bug ID# 8112557 which fails to increment the ID in the response to the challenge failure message. The Microsoft NPS logs this failure and silently discards the retry attempt. The effect is that the user of the apple device never sees a message that tells them the need to change their password. I am unsure if free radius checks the ID of a retry packet from a device but the effect is similar - users are left in the dark as to why they cannot connect when their password has been changed. It has been reported that if the Microsoft NPS server is configured for no retries (E=691 R=0) that mac/iphones/ipads then act like windows xp machines in that they report to the user that the password needs attention. Would it be possible to modify rlm_mschap.c to be conigured as to how many retries were allowed before returning authentication failure with no retry? johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
