From: Alan T. DeKok Date: Fri, 8 Apr 2011 07:36:49 +0000 (+0200) Subject: Make error sending configurable X-Git-Tag: release_2_1_11~58 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34e73164cda240483d51ff8360801706da85d797;p=thirdparty%2Ffreeradius-server.git Make error sending configurable --- diff --git a/raddb/eap.conf b/raddb/eap.conf index 9938accec15..4c9a661db47 100644 --- a/raddb/eap.conf +++ b/raddb/eap.conf @@ -615,5 +615,22 @@ # currently support. # mschapv2 { + # Prior to version 2.1.11, the module never + # sent the MS-CHAP-Error message to the + # client. This worked, but it had issues + # when the cached password was wrong. The + # server *should* send "E=691 R=0" to the + # client, which tells it to prompt the user + # for a new password. + # + # The default is to behave as in 2.1.10 and + # earlier, which is known to work. If you + # set "send_error = yes", then the error + # message will be sent back to the client. + # This *may* help some clients work better, + # but *may* also cause other clients to stop + # working. + # +# send_error = no } } diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/eap_mschapv2.h b/src/modules/rlm_eap/types/rlm_eap_mschapv2/eap_mschapv2.h index bd4fc4a10bd..96cba416f6f 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/eap_mschapv2.h +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/eap_mschapv2.h @@ -34,8 +34,6 @@ RCSIDH(eap_mschapv2_h, "$Id$") #define MSCHAPV2_CHALLENGE_LEN 16 #define MSCHAPV2_RESPONSE_LEN 50 -#define MSCHAPV2_FAILURE_MESSAGE "E=691 R=0" -#define MSCHAPV2_FAILURE_MESSAGE_LEN 9 typedef struct mschapv2_header_t { uint8_t opcode; uint8_t mschapv2_id; diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c index 91b50bc8156..bd743c9ef7c 100644 --- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c +++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c @@ -34,12 +34,16 @@ RCSID("$Id$") typedef struct rlm_eap_mschapv2_t { int with_ntdomain_hack; + int send_error; } rlm_eap_mschapv2_t; static CONF_PARSER module_config[] = { { "with_ntdomain_hack", PW_TYPE_BOOLEAN, offsetof(rlm_eap_mschapv2_t,with_ntdomain_hack), NULL, "no" }, + { "send_error", PW_TYPE_BOOLEAN, + offsetof(rlm_eap_mschapv2_t,send_error), NULL, "no" }, + { NULL, -1, 0, NULL, NULL } /* end the list */ }; @@ -382,6 +386,7 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) mschapv2_opaque_t *data; EAP_DS *eap_ds = handler->eap_ds; VALUE_PAIR *challenge, *response, *name; + rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg; rad_assert(handler->request != NULL); rad_assert(handler->stage == AUTHENTICATE); @@ -586,7 +591,6 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) if (handler->request->options & RAD_REQUEST_OPTION_PROXY_EAP) { char *username = NULL; eap_tunnel_data_t *tunnel; - rlm_eap_mschapv2_t *inst = (rlm_eap_mschapv2_t *) arg; /* * Set up the callbacks for the tunnel @@ -669,11 +673,15 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler) pairmove2(&response, &handler->request->reply->vps, PW_MSCHAP2_SUCCESS); data->code = PW_EAP_MSCHAPV2_SUCCESS; - } else { + + } else if (inst->send_error) { eap_ds->request->code = PW_EAP_FAILURE; pairmove2(&handler->request->reply->vps, &response, PW_MSCHAP_ERROR); data->code = PW_EAP_MSCHAPV2_FAILURE; + } else { + eap_ds->request->code = PW_EAP_FAILURE; + return 1; } /*