Greetings~ We are working on a patch.
We're of the opinion that Apple's version rlm_mschap / opendir included with freeradius is missing something. It appears they were only considering someone entering a failed login/password combo... not a user with a password reset or an expired password. Here is the line from opendir.c: ====== if (status != eDSNoErr) { errno = EACCES; radlog(L_ERR, "rlm_mschap: authentication failed %d", status); /* <-- returns -14091 (eDSAuthMethodNotSupported) -14090 */ return RLM_MODULE_REJECT; } ====== The comment provided makes it seem like they only expected error -14090... -14090: eDSAuthFailed 0: eDSNoErr But what about? -14161: eDSAuthNewPasswordRequired -14162: eDSAuthPasswordExpired Possible solutions: --------------------------- Solution 1) Edit the opendir.c module to simple detect error status -14161 and -14162... and simply set the status to 0 instead. This should be "good enough" because we know the original password supplied was correct therefore... let the user proceed to full login through use of the login screens built in password prompt. (This assumes a user is authenticating to a networked home login, and probably requires the client to be a Mac OS X client). Solution 2) Try and rig up something in Post-Auth-Type REJECT {...} to override the failed login and force the response to Auth-Accept. Perhaps, some pseudo conf code that says if reject-message == -14162 || reject-message == -14161 ... then "ok update auth-type := accept Can anyone provide a sample Post-Auth-Type Reject example to do this? Thanks in advance. (PS... looks like this has been an issue for awhile??? we are new to freeradius... but I found your post here: http://www.opensubscriber.com/message/freeradius-de...@lists.freeradius.org/5906511.html from 3 years ago ... are we the only few interested in port security and a password policy?) ----- Original Message ---- From: "Garber, Neal" <neal.gar...@energyeast.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Wed, August 11, 2010 8:32:07 PM Subject: RE: Password Policy - Expired Password - mschap > if you enable the ldap/(opendirectory) option to "require user to change > password on next login" the client is unable to connect. FreeRADIUS doesn't support password changes via MSCHAP. Historically, Samba didn't even support it until a couple of years ago. I believe support for this functionality was added to Samba 3.0.24 using a new helper protocol called ntlm-change-password-1. I posted something to the list asking if there was interest quite a while ago. Implementing this new helper protocol is not a trivial change to FreeRADIUS. Unfortunately, I haven't had enough free time to devote to implementing it yet. If you have the time to create the patch, I'll be one of the testers ;-) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html