EAP-MSCHAPv2 peer: Add option to disable password retry query
wpa_supplicant used to request user to re-enter username/password if the server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2) authentication failed (E=691), but retry is allowed (R=1). This is a reasonable default behavior, but there may be cases where it is more convenient to close the authentication session immediately rather than wait for user to do something. Add a new "mschapv2_retry=0" option to the phase2 field to allow the retry behavior to be disabled. This will make wpa_supplicant abort authentication attempt on E=691 regardless of whether the server allows retry. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
		
							parent
							
								
									f4cd0f6454
								
							
						
					
					
						commit
						49fcc32e91
					
				
					 3 changed files with 12 additions and 2 deletions
				
			
		|  | @ -425,7 +425,9 @@ struct eap_peer_config { | |||
| 	 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters | ||||
| 	 * | ||||
| 	 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or | ||||
| 	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. | ||||
| 	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can | ||||
| 	 * be used to disable MSCHAPv2 password retry in authentication failure | ||||
| 	 * cases. | ||||
| 	 */ | ||||
| 	char *phase2; | ||||
| 
 | ||||
|  |  | |||
|  | @ -472,6 +472,13 @@ static int eap_mschapv2_failure_txt(struct eap_sm *sm, | |||
| 		pos += 2; | ||||
| 		msg = pos; | ||||
| 	} | ||||
| 	if (data->prev_error == ERROR_AUTHENTICATION_FAILURE && retry && | ||||
| 	    config && config->phase2 && | ||||
| 	    os_strstr(config->phase2, "mschapv2_retry=0")) { | ||||
| 		wpa_printf(MSG_DEBUG, | ||||
| 			   "EAP-MSCHAPV2: mark password retry disabled based on local configuration"); | ||||
| 		retry = 0; | ||||
| 	} | ||||
| 	wpa_msg(sm->msg_ctx, MSG_WARNING, | ||||
| 		"EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error " | ||||
| 		"%d)", | ||||
|  |  | |||
|  | @ -942,7 +942,8 @@ fast_reauth=1 | |||
| #	pbc=1. | ||||
| # phase2: Phase2 (inner authentication with TLS tunnel) parameters | ||||
| #	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or | ||||
| #	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) | ||||
| #	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be | ||||
| #	used to disable MSCHAPv2 password retry in authentication failure cases. | ||||
| # | ||||
| # TLS-based methods can use the following parameters to control TLS behavior | ||||
| # (these are normally in the phase1 parameter, but can be used also in the | ||||
|  |  | |||
		Loading…
	
		Reference in a new issue
	
	 Jouni Malinen
						Jouni Malinen