Theparanoidone Theparanoidone wrote: > We have successfully implemented a test patch. This test patch moves away > from > implementing mschapv2 in the client connection and specifying PAP. It > changes > the opendirectory response, and only requires two lines of code to change in > rlm_opendirectory.c. I include the updated block of code here:
You are welcome to maintain this patch locally. i.e. on your system. "git" makes this easy. However, it cannot be added to the server. > Long term to make a patch like this useful... perhaps a freeradius > configuration > option called "allowExpiredPasswordsAndPasswordResets = yes" could be > implemented.... (unless there is an easier way to do this in > Post-Auth-Reject.. > see my request above). Check the password by hand, using a shell script. > I am still interested in: > > 1) An example Auth-Post-Reject example (basic code block and where to place > it > as my attempts have failed) You can't turn a reject into an accept. > 2) If anyone has any additional information about EAPOL Logoff packets being > transmitted on client password reset prompts, I'd be interested in hearing > about > it. No one else does password changes that way. > 3) A long term solution; I don't believe password expirations are that > uncommon > anymore with all the security requirements (HIPPA, PCI, etc etc) that depend > upon this. Password change is not part of RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html