MS CHAP V2 - returns ERROR_AUTHENTICATION_FAILURE

Jouni Malinen j at w1.fi
Wed Oct 28 11:01:20 PDT 2015


On Mon, Oct 26, 2015 at 07:09:39PM +0000, Natarajan, Saravana wrote:
> On using the code of wpa_supplicant-2.4, with valid username and invalid password,
> MS-Chapv2 process eap_mschapv2_process returns the error and in the function eap_mschapv2_failure on seeing the error Authentication failure retry is not happening. 
> Do you have any fix for this issue? Will it need to retry authentication? What need to be implemented here in TODO context. 
> 
>         } else if (retry && data->prev_error == ERROR_AUTHENTICATION_FAILURE) {
>                 /* TODO: could try to retry authentication, e.g, after having
>                  * changed the username/password. In this case, EAP MS-CHAP-v2
>                  * Failure Response would not be sent here. */
>                 return NULL;
>         }

What kind of use case are you thinking of here? A user re-entering the
username and/or password again during the EAP authentication exchange?
I'm not sure that I would be convinced of that being very helpful and
sufficient justification for the added complexity since you could as
well just run through the full EAP exchange after the new
username/password becomes available. For a case that should not really
happen that frequently, this would need good justification to work in
extending this..

Currently, wpa_supplicant does have an implementation of the MSCHAPv2
password change operation which is somewhat similar code path, but for a
different use case where that use case actually justified the additional
complexity (needed to be able to change an expired password in some
cases).

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the Hostap mailing list