jaimeventura wrote: > Now, if the user enters wrong credentials, windows prompts for credentials > again with a message stating that the user credentials are invalid. The > problem is that if the user now types the correct credential, the access > will still be denied. After the third retry, windows gives up on asking and > the user must click on the wireless network icon, to start the login process > again.
See the ChangeLog for 2.1.11: * Make retry and error message configurable in mschap. See raddb/modules/mschap * Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error". > As Alan said, this seemed like windows was caching the bad credentials. > But, the logs states a different message. After the first "access denied", > each retry comes with a "rlm_eap_mschapv2:Unexpected response received". > Im not saying there's a freeradius fault, it can be windows fault or just > windows not following the RFC(wouldnt be the first time). I already said who to blame: That failure message is being sent by the Windows machine. FreeRADIUS just logs it. Don't blame the messenger. > Aparently windows is sending a EAP-Response/MSCHAP_Failure where it should > send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous sent > EAP-Request/Failure, acording to RFC 'Appendix A - Examples') Yes. > Or > Should send a EAP-Response/MSCHAP_Response since it is actually retrying the > authentication. Possibly. > One possibility is that the new "send_error" option is missleading windows. > According to RFC 'Appendix A - Examples', a "retry" flag in order to tell > windows to try again. FreeRADIUS sets the retry flag. > Since my knowledge of the freeradius souce code is very basic, i couldnt > figure out exactly if this is happening. You're wasting your time by looking at FreeRADIUS. The Windows box is prompting multiple times for the password. This is because the *WINDOWS BOX* is prompting multiple times for the password. It has nothing to do with FreeRADIUS. No amount of poking FreeRADIUS will fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html