Re: MS-CHAP-V2 with no retry

Thu, 21 Apr 2011 09:10:23 -0700 

Just a brief update.
In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no "contact your network administrator" or other messages occur. 

Our support people are thrilled.

johnh...


 On Thu, 21 Apr 2011, [email protected] wrote:


Date: Thu, 21 Apr 2011 10:03:30
From: [email protected]
Reply-To: FreeRadius users mailing list
    <[email protected]>
To: FreeRadius users mailing list <[email protected]>
Subject: Re: MS-CHAP-V2 with no retry


Thanks again for your work on this facility.

I built and installed with the new patches.

Unfortunately things did not quite work - however with a small change I could 
get the retry to work properly on a windows7 machine.



The problem is that when we do a retry in addition to setting the challenge 
value we also need to change the data->code to challenge rather than failure. 
When the response comes back we can correctly deal with it.


==== original patch -- with suggested changes **** ====
678 -    pairmove2(&response, &handler->request->reply->vps,
679 -        PW_MSCHAP_ERROR);
678 +    pairmove2(&response, &handler->request->reply->vps,
679 +        PW_MSCHAP_ERROR);
**** add failure code by default
         data->code = PW_EAP_MSCHAPV2_FAILURE;
****
680 +    if (response) {
681 +      int n,err,retry;
682 +      char buf[34];
683 + 684 +      DEBUG2("  MSCHAP-Error: %s", response->vp_strvalue);
685 +
686 +      /*

687 +       * parse the new challenge out of the MS-CHAP-Error, so if the 
client

688 +       * issues a re-try, we'll know the challenge value they used
689 +       */

690 +      n = sscanf(response->vp_strvalue, "%*cE=%d R=%d C=%32s", &err, 
&retry, &buf);

691 +      if (n==3) {

692 +        DEBUG2("  Found new challenge from MS-CHAP-Error: err=%d 
retry=%d challenge=%s", err, retry, buf);

693 +        fr_hex2bin(buf, data->challenge, 16);
**** Set code to challenge if we find a challenge
             data->code = PW_EAP_MSCHAPV2_CHALLENGE;
****
694 +      } else {

695 +        DEBUG2("  Could not parse new challenge from MS-CHAP-Error: %d", 
n);

696 +      }
697 +    }
680
**** remove this code since set above
698     data->code = PW_EAP_MSCHAPV2_FAILURE;
****
====   END OF original patch ===

johnh...
-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





























					Reply via email to