What's happening, is when i use the radclient to auth DIRECTLY to the IAS server, i get an Access-Accept response. However, when i use the proxy, they are receiving an encrypted password...either that or an incorrectly encrypted password that cannot be decrypted by their IAS. I am using the Password attribute with radclient rather than User-Password, so i believe when i was using radclient it was sending an unencrypted password. When i run radiusd -X, I am able to see his password, so I'm assuming it's being relayed in plain-text is this correct? or does debug mode decrypt the password for my viewing pleasure?
I guess the root of my question is, Does IAS send plain-text passwords? Also is there a way i can send the password to IAS via an encryption method that it can understand without making a global change? this can't be done in proxy.conf, so would the answer than be user specific? On the IAS end the reason why they can't auth is their problem - their proxy is stripping the realm info from teh username and just sending us user@, i.e. no realm info, but how do i set the FR proxy to relay the login info via an encryption method that can be understood by IAS? they accept the following auth methods - MS-CHAP, MS-CHAP V2, CHAP, and PAP.
Thanks for your help again guys (gals)! -Ian Savoy John Horne wrote:
On Wed, 2007-05-16 at 17:12 -0400, Ian Savoy wrote:Is there anything else?Hi, Not sure if it's still relevant but with our IAS servers the sysadmin made sure it set the reply message to "yes". If you test from freeradius to the IAS server using the 'radtest' command, and run freeradius as 'radiusd -X', you should then see something like this from radiusd: rad_recv: Access-Accept packet from host 10.1.2.3:1812, id=0, length=74 Proxy-State = 0x323235 Framed-Protocol = PPP Reply-Message = "Yes" Service-Type = Framed-User John.
-- Ian Savoy Webforce Systems, Inc Operations Support/UNIX Engineer CompTIA A+ Certified Professional Tech. Support: 614-899-9257 x22 Website: http://www.ewebforce.net