3.2.5.4 Received Failure-Request Packet

If the currentState variable is set to EAP_CHAP_CHALLENGE_RESPONSE_SENT, then:

  • If the embedded MSCHAPv2 packet's R bit is set to 1 ([RFC2759] section 6), then:

    • Assign the Challenge obtained from the embedded MSCHAPv2 Failure packet to AuthenticatorChallenge.

    • Obtain the Password using an implementation-specific mechanism.

    • Generate a PeerChallenge, as specified in [RFC2759] section 4.

    • Prepare a Challenge-Response packet which embeds the MSCHAPv2 Challenge-Response packet, and send it to the server.

    • Leave the currentState set at EAP_CHAP_CHALLENGE_RESPONSE_SENT.

  • If the embedded MSCHAPv2 packet's R bit is set to zero ([RFC2759] section 6), and the error code is set to password expiration error, then:

    • Assign the Challenge obtained from the embedded MSCHAPv2 Failure packet to AuthenticatorChallenge.

    • Obtain the Password using an implementation-specific mechanism.

    • Generate a PeerChallenge, as specified in [RFC2759] section 4.

    • Prepare a Change-Password-Response packet which embeds the MSCHAPv2 Change-Password packet, and send it to the server.

    • Leave the currentState set at EAP_CHAP_CHALLENGE_RESPONSE_SENT.

  • If the embedded MSCHAPv2 packet's R bit is set to zero ([RFC2759] section 6) and the error code is not set to password expiration error, then:

    • The peer SHOULD trigger the transport layer with the authentication result as Failed and set currentState to EAP_CHAP_FAILED or, MAY prepare a Failure-Response packet, send it to the server, and set currentState to EAP_CHAP_FAILURE_RESPONSE_SENT.

If the currentState variable is not set to EAP_CHAP_CHALLENGE_RESPONSE_SENT, the packet is ignored.