john.hayw...@wheaton.edu wrote:
From your perspective which approach to getting retry enabled working do
you recommend for 2.11 so we can be testing the same version:
o my tweaks of Phil's single challenge patch
o Phil's challenge and password change patches
o a simpler two patch solution
john.hayw...@wheaton.edu wrote:
Just a brief update.
In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as
expected with this retry patch - user is presented with a password
dialog box and the connection is not aborted - user only needs to enter
the correct password to be
@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote:
Just a brief update.
In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as
expected with this retry patch - user is presented with a password
dialog box and the connection is not aborted - user only
john.hayw...@wheaton.edu wrote:
I like your changes better. It allows to in the future add a retry max
so each failure could be counted and send a R=0 after a certain number
of failures.
The EAP module already does *some* checking of this. If there are
more than ~40 or so round trips, it
On 04/22/2011 09:56 AM, Alan DeKok wrote:
If enough people test it and say it works.
2.1.11 is a stable release, so breaking things is very, very, bad.
Agreed. It's an extensive change, and needs extensive testing.
Personally I'd be inclined to say don't delay 2.1.11.
I hope to be
Hi,
Do we know if the password change (and adjustments to retry which make
it work) will be included in 2.1.11?
If enough people test it and say it works.
do we have a direct single known patch now for application to a 2.1.10
source? (theres been a lot of subtle updates flying around)
On 04/22/2011 11:22 AM, Alan Buxey wrote:
Hi,
Do we know if the password change (and adjustments to retry which make
it work) will be included in 2.1.11?
If enough people test it and say it works.
do we have a direct single known patch now for application to a 2.1.10
source? (theres
Phil Mayers wrote:
rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't
be terribly hard to write one - the module is fairly stateless. It's
probably best to just restart the server though.
I think it's safe just to mark the module HUP-safe. It wasn't marked
that way
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I
could get the retry to work properly on a windows7 machine.
The problem is that when we do a retry in addition to setting the
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I could
get the retry to work
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote:
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I
could get the retry to work properly on a windows7 machine.
The problem is
-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote:
Thanks again for your work on this facility.
I built and installed with the new patches
Subject: Re: MS-CHAP-V2 with no retry
First - thanks to the free radius group for all the work on this over the
weekend.
There have been some fixes and extensions to my original patches and I saw a
commit on Friday before some fixes and extensions were in place.
Can someone point me to exactly what
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote:
I have been able to do some testing with the adjustments for MS-CHAP-V2
related to error and retires.
There are two items I observed with testing:
1) If I sent a HUP signal to the server it appears to re-read the
configuration files but
From: Phil Mayers p.may...@imperial.ac.uk
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote:
I have been able to do some testing
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 11/04/11 11:22, Phil Mayers wrote:
On 10/04/11 15:41, James J J Hooper wrote:
This C=random needs to be saved and eventually make it's way in to
data-challenge so that the line lower down:
memcpy(challenge
john.hayw...@wheaton.edu wrote:
Can someone point me to exactly what I need to git to get the current
version of freeradius with the patches so I can do some testing at our
site?
http://git.freeradius.org
Grab the v2.1.x branch. Read raddb/modules/mschap, and
raddb/eap.conf, the mschapv2
Phil Mayers wrote:
With send_error = yes, the client just hangs (and in fact crashed my
phone several times)
Nice to know!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10/04/11 15:41, James J J Hooper wrote:
This C=random needs to be saved and eventually make it's way in to
data-challenge so that the line lower down:
memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN);
It's actually a bit more complex; the new challenge is being
On 11/04/11 11:22, Phil Mayers wrote:
On 10/04/11 15:41, James J J Hooper wrote:
This C=random needs to be saved and eventually make it's way in to
data-challenge so that the line lower down:
memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN);
It's actually a bit more
On 11/04/11 14:45, Phil Mayers wrote:
I'll spin up an SSID and give it a try with real clients later today.
Regrettably I can report that this does not work with Symbian.
With send_error = no, incorrect username/password reports EAP/PEAP
authentication failed
With send_error = yes, the
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
I've deleted the setting of the EAP code. It's set in the compose
function to eap request.
Alan DeKok.
-
On 04/09/2011 06:18 PM, James J J Hooper wrote:
On 08/04/2011 08:54, Alan DeKok wrote:
Phil Mayers wrote:
+1 - In my experience it's necessary to cater for windows' weirdness
*first*. Most other clients have sane behaviours. I'm concerned about
the we didn't do much windows testing line...
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
Also, args to pairmove2 are wrong way around, as attached.
-James
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
Also, args to pairmove2
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP
James J J Hooper wrote:
Also, args to pairmove2 are wrong way around, as attached.
Applied, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
James J J Hooper wrote:
...Although, when you correct the password in the 'allow_retry = yes
popup, I don't think FR has got the bit to handle that yet:
Found Auth-Type = eduroamalieneap-bris-sha-ca
# Executing group from file
/usr/local/etc/raddb/sites-enabled/eduroamalien-inner
+-
On 10/04/2011 12:57, James J J Hooper wrote:
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should
On 08/04/2011 08:54, Alan DeKok wrote:
Phil Mayers wrote:
+1 - In my experience it's necessary to cater for windows' weirdness
*first*. Most other clients have sane behaviours. I'm concerned about
the we didn't do much windows testing line...
Yup.
I've just pushed some changes to the
James J J Hooper wrote:
It works on Mac OS and iOS, but I havn't been able to get it to work
as expected on XP or Win7:
* Win7 does as it did before
That's not all bad.
* XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate'
message.
That's not good.
Could you
On 04/08/2011 08:26 AM, Alan DeKok wrote:
James J J Hooper wrote:
It works on Mac OS and iOS, but I havn't been able to get it to work
as expected on XP or Win7:
* Win7 does as it did before
That's not all bad.
* XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate'
Phil Mayers wrote:
+1 - In my experience it's necessary to cater for windows' weirdness
*first*. Most other clients have sane behaviours. I'm concerned about
the we didn't do much windows testing line...
Yup.
I've just pushed some changes to the git v2.1.x branch. See:
...
From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org
[freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on
behalf of Alan DeKok [al...@deployingradius.com]
Sent: Friday, April 08, 2011 2:54 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu
wrote:
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
When there is a failure of the client to
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper
jjj.hoo...@bristol.ac.uk wrote:
Attached are the two 'git diff' that I ended up with.
gzipped so they don't get messed up.
-James
p1.txt.gz
Description: Binary data
p2.txt.gz
Description: Binary data
-
List
hi,
this would be great to get into 2.1.11 release if possible if not 2.1.12 or
2.2.x
as it solves one of our current problems of devices configured for our roaming
SSID continually trying to authenticate to the system even if the user no
longer exists
- currently they just keep on and on
On 07/04/2011 13:33, James J J Hooper wrote:
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote:
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
On Wed, 9 Mar 2011, Alan DeKok wrote:
Date: Wed, 9 Mar 2011 01:25:10
From: Alan DeKok al...@deployingradius.com
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2
] on
behalf of Alan DeKok [al...@deployingradius.com]
Sent: Saturday, March 05, 2011 12:23 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote:
1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
a bug in that when
John Hayward wrote:
Any idea of the time frame?
A long time.
Should I spend my time looking at the code and proposing a patch?
Sure.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
john.hayw...@wheaton.edu wrote:
I am asking that it be configurable as to how many retries are allowed
(eg how many E=691 R=1) before a no retries failed authentication
message (E=691 R=0) is sent.
The answer here is to use a database. FreeRADIUS doesn't keep track
of any long-term data.
I am asking that it be configurable as to how many retries are allowed
(eg how many E=691 R=1) before a no retries failed authentication
message (E=691 R=0) is sent.
Ah gotcha. Thanks for the detail!
As Alan has suggested in his other email, you can change the
MS-CHAP-Error in the
Phil Mayers wrote:
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
Really? I don't see that.
What I do see is that it doesn't copy the MS-CHAP-Error into the TLS
tunnel.
That could be fixed for 2.1.11, I guess. If someone can test it...
Alan
--On 04 March 2011 10:46 +0100 Alan DeKok al...@deployingradius.com wrote:
Phil Mayers wrote:
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
Really? I don't see that.
What I do see is that it doesn't copy the MS-CHAP-Error into the TLS
tunnel.
James J J Hooper wrote:
That could be fixed for 2.1.11, I guess. If someone can test it...
Yes please, and will do.
Try this patch. You should see MSCHAP Failure in the debug log,
where it wasn't there before.
Try it for normal accounts which are locked out (SMB-Account-Ctrl =
1024)
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok
al...@deployingradius.com wrote:
James J J Hooper wrote:
That could be fixed for 2.1.11, I guess. If someone can test it...
Yes please, and will do.
Try this patch. You should see MSCHAP Failure in the debug log,
where it
--On Friday, March 04, 2011 12:04:51 + James J J Hooper
jjj.hoo...@bristol.ac.uk wrote:
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok
al...@deployingradius.com wrote:
James J J Hooper wrote:
That could be fixed for 2.1.11, I guess. If someone can test it...
Yes please,
On 04/03/11 09:46, Alan DeKok wrote:
Phil Mayers wrote:
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
Really? I don't see that.
Isn't that what this code does in rlm_eap_mschapv2.c:
static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR
James J J Hooper wrote:
rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
rlm_eap_mschapv2.c:658: error: called object is not a function
rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2'
I've added the missing comma, and it's building now :-)
Then you're
Phil Mayers wrote:
On 04/03/11 09:46, Alan DeKok wrote:
Isn't that what this code does in rlm_eap_mschapv2.c:
It's *supposed* to add the error message. But so far as I can see,
it's never called when the PW_MSCHAP_ERROR is used.
Perhaps I'm mis-reading it?
Nope. It's just never used.
Alan DeKok wrote:
James J J Hooper wrote:
rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
rlm_eap_mschapv2.c:658: error: called object is not a function
rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2'
I've added the missing comma, and it's building now
--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok
al...@deployingradius.com wrote:
Alan DeKok wrote:
James J J Hooper wrote:
rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
rlm_eap_mschapv2.c:658: error: called object is not a function
rlm_eap_mschapv2.c:658: error: too few
James J J Hooper wrote:
...
*** With a locked out user it does:
server eduroamlocal-inner {
Exec-Program output: Account locked out (0xc234)
Exec-Program-Wait: plaintext: Account locked out (0xc234)
Exec-Program: returned: 1
rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error
See comments below - johnh...
Phil Mayers wrote:
On 04/03/11 09:46, Alan DeKok wrote:
Isn't that what this code does in rlm_eap_mschapv2.c:
It's *supposed* to add the error message. But so far as I can see,
it's never called when the PW_MSCHAP_ERROR is used.
Perhaps I'm mis-reading it?
john.hayw...@wheaton.edu wrote:
1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
a response sent back to the client but there was no message in the
response.
It's more complicated. The
According to RFC2759 section 9.1.3 - 9.1.5 an authentication failure can return
(E=691 R=0) --- failure no retry or (E=691 R=1) failure, disable short timeout
and allow a retry with ++ID.
freeradius apparently only returns (E=691 R=1) in three different places in
It has been reported that if the Microsoft NPS server is configured
for no retries (E=691 R=0) that mac/iphones/ipads then act like
windows xp machines in that they report to the user that the password
needs attention.
Would it be possible to modify rlm_mschap.c to be conigured as to how
many
On Thu, 3 Mar 2011, Phil Mayers wrote:
Date: Thu, 3 Mar 2011 17:09:42
From: Phil Mayers p.may...@imperial.ac.uk
Reply-To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
It has been
59 matches
Mail list logo
