Greetings Alan~ > > Possible solutions: > --------------------------- > Solution 1) Edit the opendir.c module to simple detect error status -14161 > and > > -14162... and simply set the status to 0 instead.
>> Absolutely not. Expired passwords are *not* OK. > Solution 2) Try and rig up something in Post-Auth-Type REJECT {...} to >override > > the failed login and force the response to Auth-Accept. Perhaps, some > pseudo > conf code that says if reject-message == -14162 || reject-message == -14161 > ... > > then "ok update auth-type := accept No. That's just as bad. The real reason is that very few people do password changes via MS-CHAP. Most people do it via Active Directory, LDAP, web pages, etc. We are more than happy to perform the password change via LDAP(or apple's opendirectory)... however, the client computer is unable to connect to the network if they receive a failed authentication in the first step of 802.1x port security. In otherwords, the switch does not unlock the port until you successfully authenticate, and therefore it appears the client login screen doesn't know how to handle this case and is unable to display a password update screen or communicate on the network. Am I missing some configuration to allow LDAP to takeover? I agree that expired passwords are bad, but in the case where the client computer is completely blocked out due to a routine password expiration... perhaps a configuration option to allow expired passwords / and password resets is acceptable should a sysadmin choose to override this setting simply for radius. After all, there is only one password that will allow a user to unlock there account to update their old password... i.e. the user must present their old password one more time (which means technically the old password is still valid/good for one last task: updating the user password). Understanding the security risks... is there an example of setting Post-Auth-Type REJECT {...} to override the reject force the response to Auth-Accept? I've tried a number of combinations in the default virtual terminal (as another post said it is not processed in the inner tunnel), but I have been unable to get it to work. Any examples? Thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html