From 49fcc32e91ddf38259765a0218a4519977411a19 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 1 Feb 2015 17:45:19 +0200 Subject: [PATCH] EAP-MSCHAPv2 peer: Add option to disable password retry query wpa_supplicant used to request user to re-enter username/password if the server indicated that EAP-MSCHAPv2 (e.g., in PEAP Phase 2) authentication failed (E=691), but retry is allowed (R=1). This is a reasonable default behavior, but there may be cases where it is more convenient to close the authentication session immediately rather than wait for user to do something. Add a new "mschapv2_retry=0" option to the phase2 field to allow the retry behavior to be disabled. This will make wpa_supplicant abort authentication attempt on E=691 regardless of whether the server allows retry. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_config.h | 4 +++- src/eap_peer/eap_mschapv2.c | 7 +++++++ wpa_supplicant/wpa_supplicant.conf | 3 ++- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index 903412de1..73d020688 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -425,7 +425,9 @@ struct eap_peer_config { * phase2 - Phase2 (inner authentication with TLS tunnel) parameters * * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or - * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. + * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can + * be used to disable MSCHAPv2 password retry in authentication failure + * cases. */ char *phase2; diff --git a/src/eap_peer/eap_mschapv2.c b/src/eap_peer/eap_mschapv2.c index 430c501bb..9e486e7d1 100644 --- a/src/eap_peer/eap_mschapv2.c +++ b/src/eap_peer/eap_mschapv2.c @@ -472,6 +472,13 @@ static int eap_mschapv2_failure_txt(struct eap_sm *sm, pos += 2; msg = pos; } + if (data->prev_error == ERROR_AUTHENTICATION_FAILURE && retry && + config && config->phase2 && + os_strstr(config->phase2, "mschapv2_retry=0")) { + wpa_printf(MSG_DEBUG, + "EAP-MSCHAPV2: mark password retry disabled based on local configuration"); + retry = 0; + } wpa_msg(sm->msg_ctx, MSG_WARNING, "EAP-MSCHAPV2: failure message: '%s' (retry %sallowed, error " "%d)", diff --git a/wpa_supplicant/wpa_supplicant.conf b/wpa_supplicant/wpa_supplicant.conf index 23c229980..a8c30e1b8 100644 --- a/wpa_supplicant/wpa_supplicant.conf +++ b/wpa_supplicant/wpa_supplicant.conf @@ -942,7 +942,8 @@ fast_reauth=1 # pbc=1. # phase2: Phase2 (inner authentication with TLS tunnel) parameters # (string with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or -# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS) +# "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). "mschapv2_retry=0" can be +# used to disable MSCHAPv2 password retry in authentication failure cases. # # TLS-based methods can use the following parameters to control TLS behavior # (these are normally in the phase1 parameter, but can be used also in the