EAP-MSCHAPv2 peer: Add option to disable password retry query

wpa_supplicant used to request user to re-enter username/password if the server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2) authentication failed (E=691), but retry is allowed (R=1). This is a reasonable default behavior, but there may be cases where it is more convenient to close the authentication session immediately rather than wait for user to do something. Add a new "mschapv2_retry=0" option to the phase2 field to allow the retry behavior to be disabled. This will make wpa_supplicant abort authentication attempt on E=691 regardless of whether the server allows retry. Signed-off-by: Jouni Malinen <j@w1.fi>
2024-11-25 00:38:24 -05:00 · 2015-02-01 17:45:19 +02:00 · 2015-02-01 17:45:19 +02:00 · 49fcc32e91
commit 49fcc32e91
parent f4cd0f6454
3 changed files with 12 additions and 2 deletions
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@ -425,7 +425,9 @@ struct eap_peer_config {
 	 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
 	 *
 	 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
-	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS.
+	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can
+	 * be used to disable MSCHAPv2 password retry in authentication failure
+	 * cases.
 	 */
 	char *phase2;

--- a/src/eap_peer/eap_mschapv2.c
+++ b/src/eap_peer/eap_mschapv2.c
@ -472,6 +472,13 @@ static int eap_mschapv2_failure_txt(struct eap_sm *sm,
 		pos += 2;
 		msg = pos;
 	}
+	if (data->prev_error == ERROR_AUTHENTICATION_FAILURE && retry &&
+	    config && config->phase2 &&
+	    os_strstr(config->phase2, "mschapv2_retry=0")) {
+		wpa_printf(MSG_DEBUG,
+			   "EAP-MSCHAPV2: mark password retry disabled based on local configuration");
+		retry = 0;
+	}
 	wpa_msg(sm->msg_ctx, MSG_WARNING,
 		"EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error "
 		"%d)",
--- a/wpa_supplicant/wpa_supplicant.conf
+++ b/wpa_supplicant/wpa_supplicant.conf
@ -942,7 +942,8 @@ fast_reauth=1
 #	pbc=1.
 # phase2: Phase2 (inner authentication with TLS tunnel) parameters
 #	(string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
-#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS)
+#	"autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be
+#	used to disable MSCHAPv2 password retry in authentication failure cases.
 #
 # TLS-based methods can use the following parameters to control TLS behavior
 # (these are normally in the phase1 parameter, but can be used also in the