Apologies for keeping this going on the freeradius list when it is nothing to do with it, but has anyone seen this behaviour on anything but a Windows supplicant? I'm trying to debug whether it's a supplicant or NAS issue.
As Alan has said, this is not a freeradius issue. I see the same symptoms on another network that we have, which uses Microsoft IAS. The only common ground is the OS and the Cisco authenticator (three different models: catalyst 2950, WLC4400 and WLC5500). Microsoft have analysed trace logs I have given them and pointed the finger at the NAS, but as I only see this on Windows supplicants I'm not so sure. If there is a more appropriate list to move this to then I will happily oblige to avoid the noise on the FR list. Cheers, Andi -----Original Message----- From: freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org] On Behalf Of Alan DeKok Sent: 03 April 2012 16:28 To: FreeRadius users mailing list Subject: Re: Windows 7 prompting several times jaimeventura wrote: > Now, if the user enters wrong credentials, windows prompts for > credentials again with a message stating that the user credentials are > invalid. The problem is that if the user now types the correct > credential, the access will still be denied. After the third retry, > windows gives up on asking and the user must click on the wireless > network icon, to start the login process again. See the ChangeLog for 2.1.11: * Make retry and error message configurable in mschap. See raddb/modules/mschap * Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error". > As Alan said, this seemed like windows was caching the bad credentials. > But, the logs states a different message. After the first "access > denied", each retry comes with a "rlm_eap_mschapv2:Unexpected response > received". > Im not saying there's a freeradius fault, it can be windows fault or > just windows not following the RFC(wouldnt be the first time). I already said who to blame: That failure message is being sent by the Windows machine. FreeRADIUS just logs it. Don't blame the messenger. > Aparently windows is sending a EAP-Response/MSCHAP_Failure where it > should send a EAP-Failure/MSCHAP_Failure (to acknowlage the previous > sent EAP-Request/Failure, acording to RFC 'Appendix A - Examples') Yes. > Or > Should send a EAP-Response/MSCHAP_Response since it is actually > retrying the authentication. Possibly. > One possibility is that the new "send_error" option is missleading windows. > According to RFC 'Appendix A - Examples', a "retry" flag in order to > tell windows to try again. FreeRADIUS sets the retry flag. > Since my knowledge of the freeradius souce code is very basic, i > couldnt figure out exactly if this is happening. You're wasting your time by looking at FreeRADIUS. The Windows box is prompting multiple times for the password. This is because the *WINDOWS BOX* is prompting multiple times for the password. It has nothing to do with FreeRADIUS. No amount of poking FreeRADIUS will fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html ________________________________ From 1st November 2011 UWIC changed its title to Cardiff Metropolitan University. From the 6th December 2011, as part of this change, all email addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan University will now be sent from the new @cardiffmet.ac.uk address. Please could you ensure that all of your contact records and databases are updated to reflect this change. Further information can be found on the website here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o wybodaeth ar y wefan yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html