On 02/16/2012 09:35 AM, Morris, Andi wrote:
Hi all,
I’m trying to configure my freeradius server to prompt the user to
retype their credentials if they mistype the username or password so
that they can be authenticated via dot1x.
Does your NAS support this attribute? You are sending it just fine:
Sending Access-Reject of id 170 to 10.1.1.21 port 1645
Password-Retry := 3
EAP-Message = 0x04090004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.9 seconds.
Is there somewhere else I need to enable this attribute? Does it need
adding to the dictionary on the client?
What do you mean by "client" here?
"Client" is normally used to refer to the 802.1x supplicant (e.g. PC,
laptop, mobile device, etc.). These devices don't speak radius, so won't
see any attributes you send.
The switch/access point are usually referred to as the NAS. The NAS does
speak radius, but must support any attributes you want to send it.
I've never seen this attribute before, and don't quite know what you
expect it to do. RFC 2869 indicates it is intended to specify "how many
authentication attempts a client is permitted before disconnection"
which is not really in the spirit of RADIUS; Access-Reject MEANS
"disconnect".
tl;dr - I don't think this attribute will work for you.
802.1x NAS devices usually have various retry / lockout counters you can
configure via the GUI/CLI. These are probably what you want.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
