A couple of comments on how clients behave: o It was my impression based on comments from our support area that the unpatched code (which does not follow the rfc) serving a windows client presented the user with a dialogue box on failure. I have not tested this. I assumed that if windows could deal reasonably with a server which did not follow the rfc they could also work with one that did (possibly wrong assumption - but they are the ones which wrote the rfc).
o It is known that various versions of the mac client fail in different respects - however they seem to fail consistently in that if retry is allowed they fail to increment the ID when retrying - on the MS radius server discards the retry because it is not following the protocol. You can get macs to play by configuring the server to not allow retries. So if you are going to test macs on the MS radius server you might try both with retry and without retry. o In this case it appears that in this case there have been more issues with mac wpa_clients than windows wpa_clients. o Testing of both windows and mac with out the patch and with the patch need to be done. johnh... ________________________________________ From: freeradius-users-bounces+john.hayward=wheaton....@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton....@lists.freeradius.org] on behalf of Alan DeKok [[email protected]] Sent: Friday, April 08, 2011 2:54 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry Phil Mayers wrote: > +1 - In my experience it's necessary to cater for windows' weirdness > *first*. Most other clients have sane behaviours. I'm concerned about > the "we didn't do much windows testing" line... Yup. I've just pushed some changes to the git "v2.1.x" branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
