Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: From your perspective which approach to getting retry enabled working do you recommend for 2.11 so we can be testing the same version: o my tweaks of Phil's single challenge patch o Phil's challenge and password change patches o a simpler two patch solution which does not do passwords - the challenge patch and a rearrangement patch which detects responses to retry challenges? I'd like the changes to be split logically. (1) changes to allow retry for EAP-MSCHAPv2 (2) MS-CHAP password changes. Failing that, I'd prefer to test Phil's changes as-is. They seem to do everything you need, and they're a known quantity. Is there any thing I can do to help get this accomplished? More testing. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no contact your network administrator or other messages occur. Our support people are thrilled. If it's that useful, it should go into 2.1.11. I'd prefer to have everyone possible test this, so that we're sure it doesn't break anything. Remember: FreeRADIUS depends on all of you for it's success. The more you give, the better it gets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Hi Alan, I just wanted to make sure you know what we are currently running - we started with 2.1.x after patches were put in place related to retry/no-retry - this version works properly for no-retry but does not operate correctly with retry allowed. We next applied the patch from Phil which corrected the challenge - this by itself still did not work properly with retry. We next tweaked that patch to send a request rather than failure if retry was being allowed and this worked as it should have. Phil indicated that he had reworked the mschap module to deal with password changes and as part of that change resulted in the correct behavior if his original patch to fix the challenge was left unmodified. I personally think his approach is better but more complex because it also has code related to password change (a feature we would not use). I think it would be highly desirable to get a version of the patch which works correctly with retry enabled since it significantly reduces support calls in environments which have required password changes. From your perspective which approach to getting retry enabled working do you recommend for 2.11 so we can be testing the same version: o my tweaks of Phil's single challenge patch o Phil's challenge and password change patches o a simpler two patch solution which does not do passwords - the challenge patch and a rearrangement patch which detects responses to retry challenges? Is there any thing I can do to help get this accomplished? johnh... On Tue, 26 Apr 2011, Alan DeKok wrote: Date: Tue, 26 Apr 2011 07:57:09 From: Alan DeKok al...@deployingradius.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry john.hayw...@wheaton.edu wrote: Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no contact your network administrator or other messages occur. Our support people are thrilled. If it's that useful, it should go into 2.1.11. I'd prefer to have everyone possible test this, so that we're sure it doesn't break anything. Remember: FreeRADIUS depends on all of you for it's success. The more you give, the better it gets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: I like your changes better. It allows to in the future add a retry max so each failure could be counted and send a R=0 after a certain number of failures. The EAP module already does *some* checking of this. If there are more than ~40 or so round trips, it discards the session. However, it may be useful to limit the retries here to no more than 2. Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. 2.1.11 is a stable release, so breaking things is very, very, bad. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/22/2011 09:56 AM, Alan DeKok wrote: If enough people test it and say it works. 2.1.11 is a stable release, so breaking things is very, very, bad. Agreed. It's an extensive change, and needs extensive testing. Personally I'd be inclined to say don't delay 2.1.11. I hope to be able to roll this out at our site in May, which will get a few tens of thousands of clients through it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Hi, Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. do we have a direct single known patch now for application to a 2.1.10 source? (theres been a lot of subtle updates flying around) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/22/2011 11:22 AM, Alan Buxey wrote: Hi, Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? If enough people test it and say it works. do we have a direct single known patch now for application to a 2.1.10 source? (theres been a lot of subtle updates flying around) The patch I wrote is against the v2.1.x development branch (i.e. against 2.1.11-pre, really) and comes in the form of 5 separate commits (an attempt at making it easy to review ;o) So no - not a single source patch to 2.1.10. It would be a bit tricky to generate without pulling in lots of the unrelated stuff that's going into 2.1.11, and I'm on holiday at the moment so would like to skip generating one! https://github.com/philmayers/freeradius-server/tarball/v2.1.x-mschap-changepass ...might give you the full source; it's not a feature of github I've used before. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. I think it's safe just to mark the module HUP-safe. It wasn't marked that way before because it had code to read a smbpasswd file. That has since been removed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. original patch -- with suggested changes 678 -pairmove2(response, handler-request-reply-vps, 679 -PW_MSCHAP_ERROR); 678 +pairmove2(response, handler-request-reply-vps, 679 +PW_MSCHAP_ERROR); add failure code by default data-code = PW_EAP_MSCHAPV2_FAILURE; 680 +if (response) { 681 + int n,err,retry; 682 + char buf[34]; 683 + 684 + DEBUG2( MSCHAP-Error: %s, response-vp_strvalue); 685 + 686 + /* 687 + * parse the new challenge out of the MS-CHAP-Error, so if the client 688 + * issues a re-try, we'll know the challenge value they used 689 + */ 690 + n = sscanf(response-vp_strvalue, %*cE=%d R=%d C=%32s, err, retry, buf); 691 + if (n==3) { 692 +DEBUG2( Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s, err, retry, buf); 693 +fr_hex2bin(buf, data-challenge, 16); Set code to challenge if we find a challenge data-code = PW_EAP_MSCHAPV2_CHALLENGE; 694 + } else { 695 +DEBUG2( Could not parse new challenge from MS-CHAP-Error: %d, n); 696 + } 697 +} 680 remove this code since set above 698 data-code = PW_EAP_MSCHAPV2_FAILURE; END OF original patch === johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Just a brief update. In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as expected with this retry patch - user is presented with a password dialog box and the connection is not aborted - user only needs to enter the correct password to be connected and no contact your network administrator or other messages occur. Our support people are thrilled. johnh... On Thu, 21 Apr 2011, john.hayw...@wheaton.edu wrote: Date: Thu, 21 Apr 2011 10:03:30 From: john.hayw...@wheaton.edu Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. original patch -- with suggested changes 678 -pairmove2(response, handler-request-reply-vps, 679 -PW_MSCHAP_ERROR); 678 +pairmove2(response, handler-request-reply-vps, 679 +PW_MSCHAP_ERROR); add failure code by default data-code = PW_EAP_MSCHAPV2_FAILURE; 680 +if (response) { 681 + int n,err,retry; 682 + char buf[34]; 683 + 684 + DEBUG2( MSCHAP-Error: %s, response-vp_strvalue); 685 + 686 + /* 687 + * parse the new challenge out of the MS-CHAP-Error, so if the client 688 + * issues a re-try, we'll know the challenge value they used 689 + */ 690 + n = sscanf(response-vp_strvalue, %*cE=%d R=%d C=%32s, err, retry, buf); 691 + if (n==3) { 692 +DEBUG2( Found new challenge from MS-CHAP-Error: err=%d retry=%d challenge=%s, err, retry, buf); 693 +fr_hex2bin(buf, data-challenge, 16); Set code to challenge if we find a challenge data-code = PW_EAP_MSCHAPV2_CHALLENGE; 694 + } else { 695 +DEBUG2( Could not parse new challenge from MS-CHAP-Error: %d, n); 696 + } 697 +} 680 remove this code since set above 698 data-code = PW_EAP_MSCHAPV2_FAILURE; END OF original patch === johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote: Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. Hmm. I don't see that behaviour. That is probably due to the later changes I made in the EAP-MSCHAPv2 state machine, here: https://github.com/philmayers/freeradius-server/commit/8e3eece6e3c397f3a4b0c06a37a80bc8964997fd Specifically, the old code compares client current opcode against server last opcode; the patch I wrote above does a switch over server last opcode, then permits one or more valid client opcodes. Response is specifically permitted after failure, as it change-password (opcode 7). original patch -- with suggested changes 678 - pairmove2(response, handler-request-reply-vps, This patch is a bit magic for my tastes. The only reason it works is because eapmschapv2_compose completely ignores data-code - it chooses the EAP-MSCHAPv2 opcode based on the 2nd VALUE_PAIR* argument. So essentially you're setting data-code to trick the state machine in mschapv2_authenticate, but to someone unfamiliar with the code it would read like you're sending a challenge back, which you're not - you're sending a failure back. An alternative approach would be: --- rlm_eap_mschapv2.c~ 2010-10-13 13:34:16.0 +0100 +++ rlm_eap_mschapv2.c 2011-04-21 18:08:19.0 +0100 @@ -424,10 +424,6 @@ * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); - return 0; - } /* * Ensure that we have at least enough data i.e. remove the check for client opcode 'response' only valid if we sent a 'challenge'. Or of course, widen the check to: challenge or failure Anyway, they're more or less equivalent. A matter of taste I guess. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I like your changes better. It allows to in the future add a retry max so each failure could be counted and send a R=0 after a certain number of failures. I had briefly looked at the other area and decided it would take more changes work with a response from a failure code than adjust it over when sending the failure with a challenge. Do we know if the password change (and adjustments to retry which make it work) will be included in 2.1.11? johnh... On Thu, 21 Apr 2011, Phil Mayers wrote: Date: Thu, 21 Apr 2011 12:17:55 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote: Thanks again for your work on this facility. I built and installed with the new patches. Unfortunately things did not quite work - however with a small change I could get the retry to work properly on a windows7 machine. The problem is that when we do a retry in addition to setting the challenge value we also need to change the data-code to challenge rather than failure. When the response comes back we can correctly deal with it. Hmm. I don't see that behaviour. That is probably due to the later changes I made in the EAP-MSCHAPv2 state machine, here: https://github.com/philmayers/freeradius-server/commit/8e3eece6e3c397f3a4b0c06a37a80bc8964997fd Specifically, the old code compares client current opcode against server last opcode; the patch I wrote above does a switch over server last opcode, then permits one or more valid client opcodes. Response is specifically permitted after failure, as it change-password (opcode 7). original patch -- with suggested changes 678 - pairmove2(response, handler-request-reply-vps, This patch is a bit magic for my tastes. The only reason it works is because eapmschapv2_compose completely ignores data-code - it chooses the EAP-MSCHAPv2 opcode based on the 2nd VALUE_PAIR* argument. So essentially you're setting data-code to trick the state machine in mschapv2_authenticate, but to someone unfamiliar with the code it would read like you're sending a challenge back, which you're not - you're sending a failure back. An alternative approach would be: --- rlm_eap_mschapv2.c~ 2010-10-13 13:34:16.0 +0100 +++ rlm_eap_mschapv2.c 2011-04-21 18:08:19.0 +0100 @@ -424,10 +424,6 @@ * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); - return 0; - } /* * Ensure that we have at least enough data i.e. remove the check for client opcode 'response' only valid if we sent a 'challenge'. Or of course, widen the check to: challenge or failure Anyway, they're more or less equivalent. A matter of taste I guess. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. johnh... On Wed, 13 Apr 2011, john.hayw...@wheaton.edu wrote: Date: Wed, 13 Apr 2011 16:19:26 From: john.hayw...@wheaton.edu To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the support password change code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Thanks for the patches - I've built a new server and hopefully will test tomorrow. On the re-reading of config I can live without the HUP not causing mschap to re-read it's config - just assumed that it would. johnh... On Wed, 20 Apr 2011, Phil Mayers wrote: Date: Wed, 20 Apr 2011 17:53:42 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote: I have been able to do some testing with the adjustments for MS-CHAP-V2 related to error and retires. There are two items I observed with testing: 1) If I sent a HUP signal to the server it appears to re-read the configuration files but for some reason does not re-read the mschap module - so changing this module while testing seemed to require a restart on the server. Is that the expected behavior? rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't be terribly hard to write one - the module is fairly stateless. It's probably best to just restart the server though. 2) If retry=yes then on Windows-7 on failure a notification is given if they click they are presented with a message indicating their username or password are incorrect and given an opportunity to re-enter only a password. If they enter the correct password the authentication fails and they have to re-connect to get a duologue box where they can enter both the username and password. I have not traced down to determine why the client thinks there is a failure (eg need to see if FRS thinks it is a failure or not). This I believe is not what should be happening. I think this is probably because the EAP-MSCHAP modules needs to parse and store the new challenge in the error message. If it doesn't, the server and client will disagree on the challenge/response value and auth will fail This patch implements the required behaviour (as part of the support password change code): https://github.com/philmayers/freeradius-server/commit/44a81366fb0b909d9165ec5650004bd979c0f9d9 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
First - thanks to the free radius group for all the work on this over the weekend. There have been some fixes and extensions to my original patches and I saw a commit on Friday before some fixes and extensions were in place. Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? TIA. johnh... On Mon, 11 Apr 2011, Phil Mayers wrote: Date: Mon, 11 Apr 2011 08:45:13 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: Can someone point me to exactly what I need to git to get the current version of freeradius with the patches so I can do some testing at our site? http://git.freeradius.org Grab the v2.1.x branch. Read raddb/modules/mschap, and raddb/eap.conf, the mschapv2 section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: With send_error = yes, the client just hangs (and in fact crashed my phone several times) Nice to know! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 11:22, Phil Mayers wrote: On 10/04/11 15:41, James J J Hooper wrote: This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); It's actually a bit more complex; the new challenge is being generated inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2 needs to know it, so that it can add it to the fake request which it then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute. This would also get us part of the way there to password change via mschap (Samba currently lacks the specific API call to do this, with the values available in an MSCHAP CPW packet, but it might be possible to compile a C helper which does it...) The attached patch against git v2.1.x branch makes EAP-MSCHAPV2 retry work for me. It needs a bit of work, specifically there should be a: num_retries ...parameter, and the EAP module should keep track of retry attempt counts, and stop when either: try_number num_retries or R=0 in the MS-CHAP-Error attribute Also, I pulled the EAP-MSCHAPV2 state machine to bits, so I'm not sure it should go into 2.1.11 - there's probably not enough testing time. It works for a Windows XP SP3 client here, as well as with a jury-rigged eapol_test/wpa_cli combo. I'll spin up an SSID and give it a try with real clients later today. Of note: this gets us nearer to MS-CHAP change-password functionality; I've looked into this a couple of times recently and Samba has almost all the bits required to make it work... However, that would require some infrastructure for the server to override the MS-CHAP error code, currently hard-coded at 691 - 648 is password expired and would need to be set, either by parsing the output of ntlm_auth (for those that use it) or from some SQL/database attribute (for those using Cleartext/NT-Password) retry.patch.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 11/04/11 14:45, Phil Mayers wrote: I'll spin up an SSID and give it a try with real clients later today. Regrettably I can report that this does not work with Symbian. With send_error = no, incorrect username/password reports EAP/PEAP authentication failed With send_error = yes, the client just hangs (and in fact crashed my phone several times) :o( - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. I've deleted the setting of the EAP code. It's set in the compose function to eap request. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/09/2011 06:18 PM, James J J Hooper wrote: On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 All, People might find this helpful; if you send an invalid password for an otherwise-active account, Windows 2008R2 NPS sends an EAP request, containing an MS-CHAP error with R=1 and does *not* end the EAP/PEAP session - I am assuming a windows client could, in this case, re-try MS-CHAP without restarting the PEAP session, using the challenge sent in the MS-CHAP error. eapol_test shows this for the final packket: decapsulated EAP packet (code=1 id=7 len=91) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=7 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=91) - Flags 0x00 EAP-PEAP: received 85 bytes encrypted data for Phase 2 EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=53): 1a 04 06 00 34 45 3d 36 39 31 20 52 3d 31 20 43 3d 36 37 46 43 33 44 45 32 30 38 31 30 45 33 34 35 37 41 30 41 39 41 37 34 42 43 37 45 31 30 45 32 20 56 3d 33 EAP-PEAP: received Phase 2: code=1 identifier=7 length=57 EAP-PEAP: Phase 2 Request: type=26 EAP-MSCHAPV2: RX identifier 7 mschapv2_id 6 EAP-MSCHAPV2: Received failure EAP-MSCHAPV2: Failure data - hexdump_ascii(len=48): 45 3d 36 39 31 20 52 3d 31 20 43 3d 36 37 46 43 E=691 R=1 C=67FC 33 44 45 32 30 38 31 30 45 33 34 35 37 41 30 41 3DE20810E3457A0A 39 41 37 34 42 43 37 45 31 30 45 32 20 56 3d 33 9A74BC7E10E2 V=3 EAP-MSCHAPV2: error 691 EAP-MSCHAPV2: retry is allowed EAP-MSCHAPV2: failure challenge - hexdump(len=16): 67 fc 3d e2 08 10 e3 45 7a 0a 9a 74 bc 7e 10 e2 EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: '' (retry allowed, error 691) EAPOL: EAP parameter needed EAPOL: EAP parameter needed I will try with a windows client on Monday; I suspect it'll continue inside the existing PEAP tunnel with a retry since R=1, which means if we want to get the right behaviour as defined by the Microsoft implementation (PEAP is after all their protocol) we might be doing the wrong thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. -James p4.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: Also, args to pairmove2 are wrong way around, as attached. Applied, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** Ah... it's supposed to try the MS-CHAP stuff again. Nice! I'm travelling to networkshop soon, but I'll see if I poke at it this week. If I'm right, the fix should be pretty simple. But it will need to be tested by people. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 10/04/2011 12:57, James J J Hooper wrote: On 10/04/2011 12:39, James J J Hooper wrote: On 10/04/2011 12:16, James J J Hooper wrote: On 10/04/2011 07:03, Alan DeKok wrote: James J J Hooper wrote: I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? Yes, thanks. Also, args to pairmove2 are wrong way around, as attached. After that last change (p4.txt.gz), I think it's now doing the right thing: * wpa_supplicant output matches Phil's (against W2k8 NPS), with the exception that M=... is always present. * With allow_retry = no, XP pop's up the usual 'enter credentials...' bubble, and box. * With allow_retry = yes, XP pops a click to process credentials bubble, then a type your password again box: http://www.wireless.bris.ac.uk/gfx/random/xp--retry-is-yes.png ...Although, when you correct the password in the 'allow_retry = yes popup, I don't think FR has got the bit to handle that yet: Found Auth-Type = eduroamalieneap-bris-sha-ca # Executing group from file /usr/local/etc/raddb/sites-enabled/eduroamalien-inner +- entering group eduroamalieneap-bris-sha-ca {...} [eduroamalieneap-bris-sha-ca] Request found, released from the list [eduroamalieneap-bris-sha-ca] EAP/mschapv2 [eduroamalieneap-bris-sha-ca] processing type mschapv2 rlm_eap_mschapv2: Unexpected response received *** [eduroamalieneap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamalieneap-bris-sha-ca] Failed in EAP select ++[eduroamalieneap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect: [jh176...@bris.ac.uk] (from client JamesJJ port 256 cli 00-1a-4d-35-b0-5a via TLS tunnel) } # server eduroamalien-inner [peap] Got tunneled reply code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 EAP-Message = 0x040c0004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE I think it needs two things now: 1) Something like: @@ -433,8 +433,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) * a challenge. */ case PW_EAP_MSCHAPV2_RESPONSE: - if (data-code != PW_EAP_MSCHAPV2_CHALLENGE) { - radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received); + if ((data-code != PW_EAP_MSCHAPV2_CHALLENGE) (data-code != PW_EAP_MSCHAPV2_FAILURE)) { + radlog(L_ERR, rlm_eap_mschapv2: Unexpected response received: %d, data-code); return 0; } ... because the response to our MSCHAPV2_FAILURE seems to be a MSCHAPV2_FAILURE 2) if (inst-retry_msg) { snprintf(buffer + 9, sizeof(buffer), C=); for (i = 0; i 16; i++) { snprintf(buffer + 12 + i*2, sizeof(buffer), %02x, fr_rand() 0xff); } This C=random needs to be saved and eventually make it's way in to data-challenge so that the line lower down: memcpy(challenge-vp_strvalue, data-challenge, MSCHAPV2_CHALLENGE_LEN); has the correct challenge, and can then process the clients retry correctly? (help, I havn't managed to work out the mechanism from the current challenge generation bits yet!) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 08/04/2011 08:54, Alan DeKok wrote: Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Hi Alan, I've may have mis-understood the code, but I think the EAP MS-CHAP-v2 Failure packet, should be an EAP *request* (currently it's EAP failure)?? http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12 ...as per attached diff? -James p3.txt.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before That's not all bad. * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. That's not good. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? I'll put some fixes into git v2.1.x branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/08/2011 08:26 AM, Alan DeKok wrote: James J J Hooper wrote: It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before That's not all bad. * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. That's not good. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? I'll put some fixes into git v2.1.x branch later today, I think. Changing the EAP-MSCHAP state machine worries me. It works now, so doing something *different* is a potential source of problems. +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... I also think that, if we're aiming to make the behaviour better we should take a careful look at what IAS/NPS does; we maintain a for comparison server for just such cases, and I'll try to have a look today. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: MS-CHAP-V2 with no retry
A couple of comments on how clients behave: o It was my impression based on comments from our support area that the unpatched code (which does not follow the rfc) serving a windows client presented the user with a dialogue box on failure. I have not tested this. I assumed that if windows could deal reasonably with a server which did not follow the rfc they could also work with one that did (possibly wrong assumption - but they are the ones which wrote the rfc). o It is known that various versions of the mac client fail in different respects - however they seem to fail consistently in that if retry is allowed they fail to increment the ID when retrying - on the MS radius server discards the retry because it is not following the protocol. You can get macs to play by configuring the server to not allow retries. So if you are going to test macs on the MS radius server you might try both with retry and without retry. o In this case it appears that in this case there have been more issues with mac wpa_clients than windows wpa_clients. o Testing of both windows and mac with out the patch and with the patch need to be done. johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Friday, April 08, 2011 2:54 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry Phil Mayers wrote: +1 - In my experience it's necessary to cater for windows' weirdness *first*. Most other clients have sane behaviours. I'm concerned about the we didn't do much windows testing line... Yup. I've just pushed some changes to the git v2.1.x branch. See: raddb/modules/mschap - allow_retry - retry_msg raddb/eap.socn - send_error The default is no change. See the documentation for how to test the new features. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk http://www.jamesjj.net -- index c512018..3f3fc46 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -1239,9 +1239,21 @@ static int mschap_authenticate(void * instance, REQUEST *request) response-vp_octets + 26, nthashhash, do_ntlm_auth) 0) { RDEBUG2(FAILED: MS-CHAP2-Response is incorrect); + + /* JCH - changes to include challenge and message */ +char msg[100]; +strcpy(msg, E=691 R=0 C=); +int i, offset = strlen(msg); +char *ptr = msg[offset]; +for (i=0; i16; i++, ptr+=2) { + sprintf(ptr, %02X, response-vp_octets[i+2]); +} +*ptr = 0; +strcat(msg, V=3 M=May Need to reset cached password); + mschap_add_reply(request, request-reply-vps, *response-vp_octets, -MS-CHAP-Error, E=691 R=1, 9); +MS-CHAP-Error, msg, strlen(msg)); return RLM_MODULE_REJECT; } index bdf4668..051fe71 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -195,7 +195,9 @@ static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply) case
Re: MS-CHAP-V2 with no retry
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper jjj.hoo...@bristol.ac.uk wrote: Attached are the two 'git diff' that I ended up with. gzipped so they don't get messed up. -James p1.txt.gz Description: Binary data p2.txt.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
hi, this would be great to get into 2.1.11 release if possible if not 2.1.12 or 2.2.x as it solves one of our current problems of devices configured for our roaming SSID continually trying to authenticate to the system even if the user no longer exists - currently they just keep on and on and on... this will 'break' their settings until they put in new details (which they cant if no longer a member able to use the roaming SSID alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 07/04/2011 13:33, James J J Hooper wrote: --On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote: List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: == Comments o Results: We have implemented this patch (along with the configuration change edir_account_policy_check=no) and observe: 1) no more lockouts 2) Mac/Iphones users are now presented with a dialog box where they can update their password. o Code: a) I don't like the 100 character msg variable - there is probably a better way to do this. b) There is probably a function in free radius library to do the sprintf which should be used. c) samba locked accounts should probably have a similar message generated if they are mschapv2. I would be happy if someone could look over these patches and incorporate the ideas into freeradius for future releases. Hi John, I had trouble applying the patches to 2.1.x git -- maybe because they got mushed during the email process. Adding the bits by hand seemed to work, and I can confirm the result is as you describe on an iPhone (that's all I had to hand to test). Attached are the two 'git diff' that I ended up with. Hi John, It works on Mac OS and iOS, but I havn't been able to get it to work as expected on XP or Win7: * Win7 does as it did before * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate' message. Could you forward your patches gzipped [so they don't get mangled] so I can verify I have patched the source correctly? Regards, James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On Wed, 9 Mar 2011, Alan DeKok wrote: Date: Wed, 9 Mar 2011 01:25:10 From: Alan DeKok al...@deployingradius.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry John Hayward wrote: Any idea of the time frame? A long time. Should I spend my time looking at the code and proposing a patch? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I don't know if this should be sent to the developers list instead. === Background === When there is a failure of the client to match the challenge of the server: According to rfc2759 a failure packet in section 6 a failure packet includes a message like: E=ee R=r C= V=vv M=msg where E is the error code, R 1/0 allow/disallow retry C an ascii version of the challenge V=3 and M= some text message. After this mschap failure message is sent by the server an acknowledgment which seems to be have a failure code should be returned from the client. At that point the server can close the eap connection with a failure. What the 2.1.10 code (and earlier) appears to do is after mschap is detected immediately close the eap connection with a failure. The effect for windows XP/7 machines connecting wirelessly using mschapv2 is that they are presented with a dialog box and can enter new credentials. What happens with mac/iphones/androids/ubuntu is that they appear to be confused and time out and re-send (at various rates) authentication attempts without presenting a dialog box to the user. For some environments (such as using Novell NDS to authenticate) if configured modules/ldap edir_account_policy_check=yes then these repeated failures result in account lock outs. Scenario: Institution requires periodic change of password - user uses a web site to change password - user forgets to update their mac/iphone/android - user turns on their mac/iphone/android - shortly after user cannot access any resources (such as blackboard/portal etc) because their account is locked out. == proposed fix Modify freeradius to follow rfc2759. This requires patches to two source files: o src/modules/rlm_mschap/rlm_mschap.c to include a message which conforms to rfc2759 o src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c to use the response created by rlm_mschap.c and send that back, also accept an authentication failure acknowledgment before sending eap failure packet. Below are the diffs: === rlm_mschap.c (from src/modules/rlm_mschap/) 1242,1252c1242 /* JCH - changes to include challenge and message */ char msg[100]; strcpy(msg, E=691 R=0 C=); int i, offset = strlen(msg); char *ptr = msg[offset]; for (i=0; i16; i++, ptr+=2) { sprintf(ptr, %02X, response-vp_octets[i+2]); } *ptr = 0; strcat(msg, V=3 M=May Need to reset cashed password ); mschap_add_reply(request, request-reply-vps, --- mschap_add_reply(request, request-reply-vps, 1254c1244 MS-CHAP-Error, msg, strlen(msg)); --- MS-CHAP-Error, E=691 R=1, 9); 1299d1288 /* JCH should we check for MS-CHAPV2 and modify the reply to include challenge ? */ from /src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c 198c198,200 length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN; --- /* JCH need to be change length to work with full v2 message */ //length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN; length = 4 + reply-length-1; 215c217,222 memcpy((eap_ds-request-type.data + 4), MSCHAPV2_FAILURE_MESSAG E, MSCHAPV2_FAILURE_MESSAGE_LEN); --- /* JCH need to copy the failure message from mschapv2 - it contains ascii version of the challenge C=... */ memcpy((eap_ds-request-type.data + 4), (reply-vp_strvalue+1), (reply-length-1)); //MSCHAPV2_FAILURE_MESSAGE, MSCHAPV2_FAILURE_MESSAGE_LEN); 487a495,505 /*JCH added - is this is an ack of a failure message */ case PW_EAP_MSCHAPV2_FAILURE: if (data-code != PW_EAP_MSCHAPV2_FAILURE) { radlog(L_ERR, rlm_eap_mschapv2: Unexpected FAILURE received); return 0; } //JCH needed??? handler-request-options = ~RAD_REQUEST_OPTION _PROXY_EAP; eap_ds-request-code = PW_EAP_FAILURE; return 1; break; 658a677,680 /* JCH this is in response to the failure ack - return failure packet - don't return
RE: MS-CHAP-V2 with no retry
Any idea of the time frame? Should I spend my time looking at the code and proposing a patch? johnh... From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org [freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on behalf of Alan DeKok [al...@deployingradius.com] Sent: Saturday, March 05, 2011 12:23 AM To: FreeRadius users mailing list Subject: Re: MS-CHAP-V2 with no retry john.hayw...@wheaton.edu wrote: 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was a response sent back to the client but there was no message in the response. It's more complicated. The server would send EAP-Failure, and nothing else. 2) The patch given resolves that problem - giving the message of the rlm_mschap.c module of E=691 R=1 On closer inspection, the patch doesn't resolve anything. It still sends an EAP-Failure. It should instead send an EAP-Response with EAP-MSCHAPv2-Failure, and the E=691 R=1 failure code. After the client has ACKed that, it should *then* send EAP-Failure. i.e. fixing it is likely a fair bit more work. 3) It is possible to configure in radius.conf the message on failure by: No. That sends back an MS-CHAP-Error. The code has to package that MS-CHAP-Error into an EAP sub-type, and send it back to the client in an *additional* request/response round trip, before finally sending EAP-Failure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
John Hayward wrote: Any idea of the time frame? A long time. Should I spend my time looking at the code and proposing a patch? Sure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent. The answer here is to use a database. FreeRADIUS doesn't keep track of any long-term data. It uses a database. If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password. If you want to set E=691 R=0, you can use unlang in the post-auth-type Reject section to re-write the attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent. Ah gotcha. Thanks for the detail! As Alan has suggested in his other email, you can change the MS-CHAP-Error in the post-auth section: post-auth { Post-Auth-Type REJECT { if (reply:MS-CHAP-Error =~ /E=691 R=1/) { update reply { MS-CHAP-Error := E=691 R=0 } } } } If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password. ...but I'm not sure this will work. The reason being, if you're using wireless you're probably using PEAP/MS-CHAP. This is actually EAP-PEAP outer, and EAP-MSCHAP inner - that is, it is *not* raw mschap inside the tunnel. The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 ...ignoring any errors the mschap module might have generated. So in theory at least, FreeRadius is already doing what you want for EAP-MSCHAP, and changing it won't help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On 04 March 2011 10:46 +0100 Alan DeKok al...@deployingradius.com wrote: Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. What I do see is that it doesn't copy the MS-CHAP-Error into the TLS tunnel. That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. eap.diff.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error ( result of patch .c attached): Making all in rlm_eap_mschapv2... gmake[9]: Entering directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' /usr/local/dnsnode/src/radiusd/20110105/freeradius-server/libtool --mode=compile gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c mkdir .libs gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -D_GNU_SOURCE -g -Wshadow -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -W -Wredundant-decls -Wundef -I/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src -I../.. -I../../libeap -c rlm_eap_mschapv2.c -fPIC -DPIC -o .libs/rlm_eap_mschapv2.o rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' gmake[9]: *** [rlm_eap_mschapv2.lo] Error 1 gmake[9]: Leaving directory `/usr/local/dnsnode/src/radiusd/20110105/freeradius-server/src/modules/rlm_eap/types/rlm_eap_mschapv2' gmake[8]: *** [rlm_eap_mschapv2] Error 2 -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- rlm_eap_mschapv2.c--new1.gz Description: Binary data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 12:04:51 + James J J Hooper jjj.hoo...@bristol.ac.uk wrote: --On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok al...@deployingradius.com wrote: James J J Hooper wrote: That could be fixed for 2.1.11, I guess. If someone can test it... Yes please, and will do. Try this patch. You should see MSCHAP Failure in the debug log, where it wasn't there before. Try it for normal accounts which are locked out (SMB-Account-Ctrl = 1024) Alan DeKok. Hi Alan, Compile error ( result of patch .c attached): rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) -James - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On 04/03/11 09:46, Alan DeKok wrote: Phil Mayers wrote: The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message: E=691 R=0 Really? I don't see that. Isn't that what this code does in rlm_eap_mschapv2.c: static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *reply) { ... case PW_MSCHAP_ERROR: DEBUG2(MSCHAP Failure\n); length = 4 + MSCHAPV2_FAILURE_MESSAGE_LEN; memcpy((eap_ds-request-type.data + 4), MSCHAPV2_FAILURE_MESSAGE, MSCHAPV2_FAILURE_MESSAGE_LEN); ...and MSCHAPV2_FAILURE_MESSAGE is defined in eap_mschapv2.h: #define MSCHAPV2_FAILURE_MESSAGE E=691 R=0 #define MSCHAPV2_FAILURE_MESSAGE_LEN 9 Perhaps I'm mis-reading it? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) Then you're using the git master branch, and not 2.1.x. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Phil Mayers wrote: On 04/03/11 09:46, Alan DeKok wrote: Isn't that what this code does in rlm_eap_mschapv2.c: It's *supposed* to add the error message. But so far as I can see, it's never called when the PW_MSCHAP_ERROR is used. Perhaps I'm mis-reading it? Nope. It's just never used. Anyways, due to that (and other) issues, I've attached a new patch. That *should* just re-use the MS-CHAP-Error string from the MS-CHAP module, without over-writing it with a fixed error. Alan DeKok. eap.diff.gz Description: GNU Zip compressed data - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
Alan DeKok wrote: James J J Hooper wrote: rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) Then you're using the git master branch, and not 2.1.x. Nope, my mistake. See the recent message for a better patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok al...@deployingradius.com wrote: Alan DeKok wrote: James J J Hooper wrote: rlm_eap_mschapv2.c: In function `mschapv2_authenticate': rlm_eap_mschapv2.c:658: error: called object is not a function rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2' I've added the missing comma, and it's building now :-) Then you're using the git master branch, and not 2.1.x. Nope, my mistake. See the recent message for a better patch. *** With a bad password it does: [eduroamlocalmschap] expand: --nt-response=%{eduroamlocalmschap:NT-Response} - --nt-response=58a58ef81a7975443ce2f2ea61d6e66b11974cd3fbbf2b2d Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [eduroamlocalmschap] External script failed. [eduroamlocalmschap] FAILED: MS-CHAP2-Response is incorrect ++[eduroamlocalmschap] returns reject rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. [eduroamlocaleap-bris-sha-ca] Handler failed in EAP/mschapv2 [eduroamlocaleap-bris-sha-ca] Failed in EAP select ++[eduroamlocaleap-bris-sha-ca] returns invalid Failed to authenticate the user. Login incorrect (eduroamlocalmschap: External script says Logon failure (0xc06d)): [jh1...@bris.ac.uk] (from client custard-66 port 0 cli 99-88-77-66-55-44 via TLS tunnel) } # server eduroamlocal-inner [peap] Got tunneled reply code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Got tunneled reply RADIUS code 3 MS-CHAP-Error = \tE=691 R=1 EAP-Message = 0x04090004 Message-Authenticator = 0x [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eduroamlocaleap-bris-sha-ca] returns handled *** With a locked out user it does: server eduroamlocal-inner { Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. Login incorrect (eduroamlocalmschap: External script says Account locked out (0xc234)): [jh176...@bris.ac.uk] (from client custard-66 port 0 cli 99-88-77-66-55-44 via TLS tunnel) } # server eduroamlocal-inner MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x MS-CHAP-Error = \007E=691 R=1 EAP-Message = 0x04070004 Message-Authenticator = 0x attr_filter: Matched entry DEFAULT at line 1 Sending Access-Challenge of id 7 to 137.222.253.66 port 48817 EAP-Message = 0x0108002b19001703010020bfba7af9865436c3cbcd179868046228adb578769d6312fd4cb3caaf3626edc0 Message-Authenticator = 0x State = 0x2183e4ed268bfd6e277ccbd19a06e21c * Also, each time MS-CHAP-Error seems to be prefixed with a character - Is that intended? -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
James J J Hooper wrote: ... *** With a locked out user it does: server eduroamlocal-inner { Exec-Program output: Account locked out (0xc234) Exec-Program-Wait: plaintext: Account locked out (0xc234) Exec-Program: returned: 1 rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-Error was found. Login incorrect (eduroamlocalmschap: External script says Account locked But that doesn't set SMB-Acct-Ctrl = 0x400. That's needed for the rlm_mschap module. * Also, each time MS-CHAP-Error seems to be prefixed with a character - Is that intended? Yes. It's how MS-CHAP works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
See comments below - johnh... Phil Mayers wrote: On 04/03/11 09:46, Alan DeKok wrote: Isn't that what this code does in rlm_eap_mschapv2.c: It's *supposed* to add the error message. But so far as I can see, it's never called when the PW_MSCHAP_ERROR is used. Perhaps I'm mis-reading it? Nope. It's just never used. Anyways, due to that (and other) issues, I've attached a new patch. That *should* just re-use the MS-CHAP-Error string from the MS-CHAP module, without over-writing it with a fixed error. Is this a proper statement of the summary of where we are: 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was a response sent back to the client but there was no message in the response. 2) The patch given resolves that problem - giving the message of the rlm_mschap.c module of E=691 R=1 3) It is possible to configure in radius.conf the message on failure by: post-auth { Post-Auth-Type REJECT { if (reply:MS-CHAP-Error =~ /E=691 R=1/) { update reply { MS-CHAP-Error := E=691 R=0 } } } } Let me know where I am wrong in these assertions. I will try to test the patch in our environment and let the results be known next week. johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote: 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was a response sent back to the client but there was no message in the response. It's more complicated. The server would send EAP-Failure, and nothing else. 2) The patch given resolves that problem - giving the message of the rlm_mschap.c module of E=691 R=1 On closer inspection, the patch doesn't resolve anything. It still sends an EAP-Failure. It should instead send an EAP-Response with EAP-MSCHAPv2-Failure, and the E=691 R=1 failure code. After the client has ACKed that, it should *then* send EAP-Failure. i.e. fixing it is likely a fair bit more work. 3) It is possible to configure in radius.conf the message on failure by: No. That sends back an MS-CHAP-Error. The code has to package that MS-CHAP-Error into an EAP sub-type, and send it back to the client in an *additional* request/response round trip, before finally sending EAP-Failure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
It has been reported that if the Microsoft NPS server is configured for no retries (E=691 R=0) that mac/iphones/ipads then act like windows xp machines in that they report to the user that the password needs attention. Would it be possible to modify rlm_mschap.c to be conigured as to how many retries were allowed before returning authentication failure with no retry? Obviously it's possible. It's not clear it would help though; are you using plain MS-CHAP or EAP-MSCHAP? Can you explain what you're trying to accomplish; I didn't really understand your email in full (not sure what the stuff about Macs was all about; not sure whether change password means user tries again with a different password string or user executes the change-password protocol because their old one has expired) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP-V2 with no retry
On Thu, 3 Mar 2011, Phil Mayers wrote: Date: Thu, 3 Mar 2011 17:09:42 From: Phil Mayers p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: Re: MS-CHAP-V2 with no retry It has been reported that if the Microsoft NPS server is configured for no retries (E=691 R=0) that mac/iphones/ipads then act like windows xp machines in that they report to the user that the password needs attention. Would it be possible to modify rlm_mschap.c to be conigured as to how many retries were allowed before returning authentication failure with no retry? Obviously it's possible. It's not clear it would help though; are you using plain MS-CHAP or EAP-MSCHAP? EAP-MSCHAP Can you explain what you're trying to accomplish; I didn't really understand your email in full (not sure what the stuff about Macs was all about; not sure whether change password means user tries again with a different password string or user executes the change-password protocol because their old one has expired) We have most things (portal authentication, blackboard, wireless) using freeradius with Novell NDSLdap for authentication. We also have a password change policy which requires user periodically change their password. They can most easily do so by going to a website set up for that. Here is the sequence of events which leads to a heavy support load. 1) User initially set up their wireless connection using a current password. 2) The device caches the password. 3) The user operates for a long period of time without issue. 4) The user is notified their password will expire in a short time in the future by e-mail - telling them to change their password at the password change web site. 5) The user goes to the password change web site and changes their password. 6) After the password change has occurred - When the user attempts to connect to the wireless network: a) for wireless Windows running xp they see a message indicating they need to re-enter their password for the computer (the cashed old password no longer works) and the user enters the current password and life goes on. *** b) for wireless apple devices (os 10.6, iphones, ipads) they get no such message the device just keeps trying to authenticate and failing without prompting the user - after a certain number of failures the Novell NDS Ldap locks the user because intruder lock out facility. Now the user cannot login to systems which use uses NDSLdap authentication. User shows up at support center confused. It is known that the apple supplicant fails to increment the ID on the retry which is required by the MS-CHAP protocol. At least one person report that if the radius server responds with a failed authentication error message (E=691 R=0) - which indicates the client should not retry - causes the apple device to prompt the user for a new password. This is the same behavior which windows xp users see. I am not asking that freeradius server be used to change the password. I am asking that it be configurable as to how many retries are allowed (eg how many E=691 R=1) before a no retries failed authentication message (E=691 R=0) is sent. If a no retries failed authentication message (E=691 R=0) is sent I believe that that the apple device to re-prompt the user to update the password. johnh... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html