On Thu, 3 Mar 2011, Phil Mayers wrote:
Date: Thu, 3 Mar 2011 17:09:42
From: Phil Mayers <[email protected]>
Reply-To: FreeRadius users mailing list
<[email protected]>
To: [email protected]
Subject: Re: MS-CHAP-V2 with no retry
It has been reported that if the Microsoft NPS server is configured
for no retries (E=691 R=0) that mac/iphones/ipads then act like
windows xp machines in that they report to the user that the password
needs attention.
Would it be possible to modify rlm_mschap.c to be conigured as to how
many retries were allowed before returning authentication failure
with no retry?
Obviously it's possible. It's not clear it would help though; are you using
plain MS-CHAP or EAP-MSCHAP?
EAP-MSCHAP
Can you explain what you're trying to accomplish; I didn't really understand
your email in full (not sure what the stuff about Macs was all about; not
sure whether "change password" means "user tries again with a different
password string" or "user executes the change-password protocol because their
old one has expired)
We have most things (portal authentication, blackboard, wireless) using
freeradius with Novell NDSLdap for authentication. We also have a
password change policy which requires user periodically change their
password. They can most easily do so by going to a website set up for
that.
Here is the sequence of events which leads to a heavy support load.
1) User initially set up their wireless connection using a current
password.
2) The device caches the password.
3) The user operates for a long period of time without issue.
4) The user is notified their password will expire in a short time in the
future by e-mail - telling them to change their password at the
password change web site.
5) The user goes to the password change web site and changes their
password.
6) After the password change has occurred - When the user attempts to
connect to the wireless network:
a) for wireless Windows running xp they see a message indicating they
need to re-enter their password for the computer (the cashed old
password no longer works) and the user enters the current password
and life goes on.
***
b) for wireless apple devices (os 10.6, iphones, ipads) they get no such
message the device just keeps trying to authenticate and failing without
prompting the user - after a certain number of failures the Novell
NDS Ldap locks the user because intruder lock out facility.
Now the user cannot login to systems which use uses NDSLdap
authentication. User shows up at support center confused.
It is known that the apple supplicant fails to increment the ID on the
retry which is required by the MS-CHAP protocol. At least one person
report that if the radius server responds with a failed authentication error
message (E=691 R=0) - which indicates the client should not retry - causes the
apple device to prompt the user for a new password. This is the same behavior
which windows xp users see.
I am not asking that freeradius server be used to change the password.
I am asking that it be configurable as to how many retries are allowed (eg
how many E=691 R=1) before a no retries failed authentication message
(E=691 R=0) is sent.
If a no retries failed authentication message (E=691 R=0) is sent I
believe that that the apple device to re-prompt the user to update the password.
johnh...
> -
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
