Re: MS-CHAP-V2 with no retry

Wed, 20 Apr 2011 19:03:40 -0700

Thanks for the patches - I've built a new server and hopefully will test tomorrow.
On the re-reading of config I can live without the HUP not causing mschap to re-read it's config - just assumed that it would. 

johnh...
On Wed, 20 Apr 2011, Phil Mayers wrote:


Date: Wed, 20 Apr 2011 17:53:42
From: Phil Mayers <p.may...@imperial.ac.uk>
Reply-To: FreeRadius users mailing list
    <freeradius-users@lists.freeradius.org>
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry

On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote:

I have been able to do some testing with the adjustments for MS-CHAP-V2
related to error and retires.

There are two items I observed with testing:

1) If I sent a HUP signal to the server it appears to re-read the
configuration files but for some reason does not re-read the mschap
module - so changing this module while testing seemed to require a
restart on the server. Is that the expected behavior?



rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be 
terribly hard to write one - the module is fairly stateless. It's probably 
best to just restart the server though.



2) If retry=yes then on Windows-7 on failure a notification is given if
they click they are presented with a message indicating their username
or password are incorrect and given an opportunity to re-enter only a
password. If they enter the correct password the authentication fails
and they have to re-connect to get a duologue box where they can enter
both the username and password. I have not traced down to determine why
the client thinks there is a failure (eg need to see if FRS thinks it is
a failure or not). This I believe is not what should be happening.



I think this is probably because the EAP-MSCHAP modules needs to parse and 
store the new challenge in the error message. If it doesn't, the server and 
client will disagree on the challenge/response value and auth will fail



This patch implements the required behaviour (as part of the "support 
password change" code):


https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9
-

List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





























					Reply via email to