Hi all, I'm trying to configure my freeradius server to prompt the user to retype their credentials if they mistype the username or password so that they can be authenticated via dot1x.
I've checked my virtual server post-auth and found: post-auth { exec packetfence Post-Auth-Type REJECT { attr_filter.access_reject } } So then looked inside attr_filter.access_reject and added the Password-Retry attribute as below: DEFAULT EAP-Message =* ANY, State =* ANY, Message-Authenticator =* ANY, Reply-Message =* ANY, MS-CHAP-Error =* ANY, Proxy-State =* ANY, Password-Retry :=3 However when I force my test Windows 7 client to fail using a bad password I'm not reprompted to enter a new password at all. When running a debug I see the Password-Retry attribute being sent in the Access-Reject section. The following results are the debug output: . rad_recv: Access-Request packet from host 10.1.1.21 port 1645, id=169, length=308 User-Name = "sm18818" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-09-E8-98-A0-02" Calling-Station-Id = "00-24-54-42-86-04" EAP-Message = 0x0208006b19001703010060f87a45874abccfef74c9674f4dcc93d9f804ecc7db489bfa2205e4a5c2f691543d9de8c31c0c84fb2da83121280190827555f2e2cb16784fabf62a775b6caca028e7a56405a8c7e64d0e3855a75615e2275ce7a40ace04929dbbf623562650c3 Message-Authenticator = 0xd7a475900d0efb6a752d8c59da3f6dc6 Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314" NAS-Port-Type = Ethernet NAS-Port = 50002 NAS-Port-Id = "FastEthernet0/2" State = 0xd8956e82de9d77cd0f3a27e6f3c50521 NAS-IP-Address = 10.1.1.21 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 8 length 107 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800421a0208003d31375d05e236695687a5bd102f646c02450000000000000000ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad00736d3138383138 server packetfence { [peap] Setting User-Name to sm18818 Sending tunneled request EAP-Message = 0x020800421a0208003d31375d05e236695687a5bd102f646c02450000000000000000ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad00736d3138383138 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "sm18818" State = 0x7642bbe8764aa17935847ca964c2e70f Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-09-E8-98-A0-02" Calling-Station-Id = "00-24-54-42-86-04" Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314" NAS-Port-Type = Ethernet NAS-Port = 50002 NAS-Port-Id = "FastEthernet0/2" NAS-IP-Address = 10.1.1.21 server packetfence-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 66 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/packetfence-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: sm18818 [mschap] Told to do MS-CHAPv2 for sm18818 with NT-Password [mschap] expand: %{Stripped-User-Name} -> [mschap] ... expanding second conditional [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: %{User-Name:-None} -> sm18818 [mschap] expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -> --username=sm18818 [mschap] mschap2: c7 [mschap] Creating challenge hash with username: sm18818 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=e8c9f13e6c1cd2a3 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ba7cffdf85864518ecc5b323c793c6a254e781a06009e9ad Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject [eap] Freeing handler ++[eap] returns reject Failed to authenticate the user. } # server packetfence-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled } # server packetfence Sending Access-Challenge of id 169 to 10.1.1.21 port 1645 EAP-Message = 0x0109002b1900170301002046a93765d835a4d9441c538ef7abcb1ef20e14d69d31cd9afbf8bd34f017fb64 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8956e82df9c77cd0f3a27e6f3c50521 Finished request 7. Going to the next request Waking up in 3.9 seconds. rad_recv: Access-Request packet from host 10.1.1.21 port 1645, id=170, length=244 User-Name = "sm18818" Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = "00-09-E8-98-A0-02" Calling-Station-Id = "00-24-54-42-86-04" EAP-Message = 0x0209002b19001703010020d6f77af2663bc82ac052d9afb815c2b900be28fa33360b6f6ce08326d867b3cc Message-Authenticator = 0xa004edde5ec362abceec91909403265a Cisco-AVPair = "audit-session-id=0A0101150000018BAED66314" NAS-Port-Type = Ethernet NAS-Port = 50002 NAS-Port-Id = "FastEthernet0/2" State = 0xd8956e82df9c77cd0f3a27e6f3c50521 NAS-IP-Address = 10.1.1.21 server packetfence { # Executing section authorize from file /etc/raddb/sites-enabled/packetfence +- entering group authorize {...} [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[preprocess] returns ok [eap] EAP packet type response id 9 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv failure [peap] Received EAP-TLV response. [peap] The users session was previously rejected: returning reject (again.) [peap] *** This means you need to read the PREVIOUS messages in the debug output [peap] *** to find out the reason why the user was rejected. [peap] *** Look for "reject" or "fail". Those earlier messages will tell you. [peap] *** what went wrong, and how to fix the problem. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server packetfence Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/packetfence +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> sm18818 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 8 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 8 Sending Access-Reject of id 170 to 10.1.1.21 port 1645 Password-Retry := 3 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.9 seconds. Is there somewhere else I need to enable this attribute? Does it need adding to the dictionary on the client? Cheers, Andi ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email addresses >which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent >from Cardiff Metropolitan University will now be sent from the new >@cardiffmet.ac.uk address. Please could you ensure that all of your contact >records and databases are updated to reflect this change. Further information >can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html