All,
We're rolling out a password-expiry policy here, and it's been suggested
that it would be helpful for the VPN to prompt a user to change their
password, rather than just lock them out.
The VPN is poptop on Linux, authing to FreeRadius, which current talks
to winbind and then to our w2k3 servers but may be moving to proxy the
final inner mschap to IAS (all the policy checks and interesting stuff
will be staying on FreeRadius - but using FR2 and a proxy plus pool of
home servers seems like to give us better failure and recovery
characteristics when an AD controller goes away)
When we MS-CHAP an expired account we get a MS-CHAP-Error packet in the
reply as expected:
Sending Access-Request of id 7 to 192.168.29.34 port 1812
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = "test"
MS-CHAP-Challenge = 0xSNIP
MS-CHAP2-Response = 0xSNIP
Calling-Station-Id = 192.168.55.55
NAS-IP-Address = 192.168.54.54
NAS-Port = 0
Proxy-State = 0x3633
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7, length=46
Proxy-State = 0x3633
MS-CHAP-Error = "\000E=648 R=0 V=3"
...however FreeRadius obeys the RFCs, and doesn't proxy the
MS-CHAP-Error packet back to the radius client (pppd "radius.so" plugin)
so my patches to pppd are unable to act on the error code.
Am I wasting my time?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
