3.3.5.2 Received Challenge-Response Packet
If the currentState variable is set to EAP_CHAP_CHALLENGE_SENT, then:
Obtain the Username and PeerChallenge from the embedded MSCHAPv2 Challenge-Response packet.
Obtain the user (specified by Username) Password using an implementation-specific mechanism.
Validate the embedded MSCHAPv2 Challenge-Response packet, as specified in [RFC2759] section 4.
If the validation is successful, then:
Prepare a Success-Request packet which embeds the resulting MSCHAPv2 Success packet, and send it to the peer.
Set currentState to EAP_CHAP_SUCCESS_REQUEST_SENT.
If the validation fails due to an expired password and AllowPasswordChange is true, then:
Prepare a Failure-Request packet that embeds the MSCHAPv2 Failure packet with the R bit set to zero and the corresponding validation error, and send it to the peer.
Obtain the AuthenticatorChallenge from the Failure-Request packet.
Set currentState to EAP_CHAP_CHANGE_PASSWORD_SENT.
If the validation fails due to an expired password and AllowPasswordChange is false, then:
Prepare an EAP Failure packet and send it to the peer.
Set currentState to EAP_CHAP_FAILED.
If the validation fails due to authentication failure ([RFC2759] section 6) and the RetryCount datum is nonzero, then:
Prepare a Failure-Request packet which embeds the MSCHAPv2 Failure packet with R bit set to one and the corresponding validation error, and send it to the peer.
Decrement the RetryCount datum by one.
Obtain the AuthenticatorChallenge from the Failure-Request packet.
Leave currentState set at EAP_CHAP_CHALLENGE_SENT.
If the validation fails because on an authentication failure ([RFC2759] section 6) and the RetryCount datum is zero, then:<6>
Prepare a Failure-Request packet which embeds the MSCHAPv2 Failure packet with the R bit set to zero and the corresponding validation error, and send it to the peer.
Set currentState to EAP_CHAP_FAILURE_REQUEST_SENT.
If the currentState variable is not set to EAP_CHAP_CHALLENGE_SENT, the packet is ignored.