I have been able to do some testing with the adjustments for MS-CHAP-V2
related to error and retires.
There are two items I observed with testing:
1) If I sent a HUP signal to the server it appears to re-read the
configuration files but for some reason does not re-read the mschap module
- so changing this module while testing seemed to require a restart on the
server. Is that the expected behavior?
2) If retry=yes then on Windows-7 on failure a notification is given if
they click they are presented with a message indicating their username or
password are incorrect and given an opportunity to re-enter only a
password. If they enter the correct password the authentication fails and
they have to re-connect to get a duologue box where they can enter both
the username and password. I have not traced down to determine why the
client thinks there is a failure (eg need to see if FRS thinks it is a
failure or not). This I believe is not what should be happening.
johnh...
On Wed, 13 Apr 2011, john.hayw...@wheaton.edu wrote:
Date: Wed, 13 Apr 2011 16:19:26
From: john.hayw...@wheaton.edu
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Subject: Re: MS-CHAP-V2 with no retry
First - thanks to the free radius group for all the work on this over the
weekend.
There have been some fixes and extensions to my original patches and I saw a
commit on Friday before some fixes and extensions were in place.
Can someone point me to exactly what I need to "git" to get the current
version of freeradius with the patches so I can do some testing at our site?
TIA.
johnh...
On Mon, 11 Apr 2011, Phil Mayers wrote:
Date: Mon, 11 Apr 2011 08:45:13
From: Phil Mayers <p.may...@imperial.ac.uk>
Reply-To: FreeRadius users mailing list
<freeradius-users@lists.freeradius.org>
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 11/04/11 11:22, Phil Mayers wrote:
On 10/04/11 15:41, James J J Hooper wrote:
This C=<random> needs to be saved and eventually make it's way in to
data->challenge so that the line lower down:
memcpy(challenge->vp_strvalue, data->challenge, MSCHAPV2_CHALLENGE_LEN);
It's actually a bit more complex; the new challenge is being generated
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
needs to know it, so that it can add it to the fake request which it
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
This would also get us part of the way there to password change via
mschap (Samba currently lacks the specific API call to do this, with the
values available in an MSCHAP CPW packet, but it might be possible to
compile a C helper which does it...)
The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work
for me.
It needs a bit of work, specifically there should be a:
num_retries
...parameter, and the EAP module should keep track of retry attempt counts,
and stop when either:
try_number > num_retries
or
R=0 in the MS-CHAP-Error attribute
Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it
should go into 2.1.11 - there's probably not enough testing time.
It works for a Windows XP SP3 client here, as well as with a jury-rigged
eapol_test/wpa_cli combo.
I'll spin up an SSID and give it a try with real clients later today.
Of note: this gets us nearer to MS-CHAP change-password functionality; I've
looked into this a couple of times recently and Samba has almost all the
bits required to make it work... However, that would require some
infrastructure for the server to override the MS-CHAP error code, currently
hard-coded at 691 - 648 is "password expired" and would need to be set,
either by parsing the output of ntlm_auth (for those that use it) or from
some SQL/database attribute (for those using Cleartext/NT-Password)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
