On 11/04/11 11:22, Phil Mayers wrote:
On 10/04/11 15:41, James J J Hooper wrote:This C=<random> needs to be saved and eventually make it's way in to data->challenge so that the line lower down: memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...)
The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me.
It needs a bit of work, specifically there should be a: num_retries...parameter, and the EAP module should keep track of retry attempt counts, and stop when either:
try_number > num_retries or R=0 in the MS-CHAP-Error attributeAlso, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time.
It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo.
I'll spin up an SSID and give it a try with real clients later today.Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is "password expired" and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password)
retry.patch.gz
Description: GNU Zip compressed data
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
