It has been reported that if the Microsoft NPS server is configured for no retries (E=691 R=0) that mac/iphones/ipads then act like windows xp machines in that they report to the user that the password needs attention. Would it be possible to modify rlm_mschap.c to be conigured as to how many retries were allowed before returning authentication failure with no retry?
Obviously it's possible. It's not clear it would help though; are you using plain MS-CHAP or EAP-MSCHAP?
Can you explain what you're trying to accomplish; I didn't really understand your email in full (not sure what the stuff about Macs was all about; not sure whether "change password" means "user tries again with a different password string" or "user executes the change-password protocol because their old one has expired)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html