I am asking that it be configurable as to how many retries are allowed
(eg how many E=691 R=1) before a no retries failed authentication
message (E=691 R=0) is sent.
Ah gotcha. Thanks for the detail!
As Alan has suggested in his other email, you can change the
"MS-CHAP-Error" in the post-auth section:
post-auth {
Post-Auth-Type REJECT {
if (reply:MS-CHAP-Error =~ /E=691 R=1/) {
update reply {
MS-CHAP-Error := "E=691 R=0"
}
}
}
}
If a no retries failed authentication message (E=691 R=0) is sent I
believe that that the apple device to re-prompt the user to update the
password.
...but I'm not sure this will work.
The reason being, if you're using wireless you're probably using
PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner -
that is, it is *not* raw mschap inside the tunnel.
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
...ignoring any errors the "mschap" module might have generated.
So in theory at least, FreeRadius is already doing what you want for
EAP-MSCHAP, and changing it won't help.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
