SV: FR proxy to ACS and NPS with MS CHAP v2
A.L.M.Buxey at lboro.ac.uk
Tue Oct 12 16:29:31 CEST 2010
> Our design:
> 1) Protocol is EAP-TTLS with inner MA CHAP v2
> 2) FR server authenticate the TLS part
> 3) FR proxies the MS CHAP Authentication to NPS
> 4) NPS performs the MS CHAP v2 auth.
yes, this is feasible
note this will break when clients start to check the end of the tunnel is the same
(cyptobinding TLV) - this may become common.
1 and 2 will just work with the main outer tunnel and default config
3) you need to configure the EAP and inner tunnel to proxy the request
to the remote server - at which point it will be a naked MSCHAPv2
going to the NPS
4) the NPS will do its work...so long as shared secrets are correct,
note, theres lots of other bits that need to be right - eg the users
entry in the NPS AD needs to be correct - remote dial-in connection enabled.
the FR - NPS stuff that you talk about is basic bread and butter stuff.
More information about the Freeradius-Users