SV: FR proxy to ACS and NPS with MS CHAP v2
Alan DeKok
aland at deployingradius.com
Thu Jul 29 14:51:15 CEST 2010
SagiBarOr wrote:
> Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a
> partial proxy. We call it "split authentication". One Freeradius server is
> doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free
> Radius server.
> This works just fine.
> When we try to do the same when the second server (which does the MS CHAP v2
> authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the
> authentication fails. The connection is refused becasue of bad username or
> pwd.
The debug logs you posted show no such reject.
> My question to the forum: although thesystem with 2 FR servers works fine,
> can it be that there an issue with the MS CHAP v2 proxy, and only becasue
> the second radius is also Free radius, then it tolarates it?
My $0.02 is that FreeRADIUS implements the specs correctly. It
proxies MS-CHAP as MS-CHAP, without any butchering of the packets.
> I know it is a weird request to look for somthing non std or wrong in logs
> of a susscessful session, but I still try my luck. Any lead can help.
This disagrees with what you said earlier. If the connection is
refused, you should not see a successful session.
Which one is it?
Alan DeKok.
More information about the Freeradius-Users
mailing list