Machine authentications with proxy-inner-tunnel and NPS as backend

Herwin Weststrate herwin at quarantainenet.nl
Mon Jul 21 12:51:07 CEST 2014


On 21-07-14 11:03, Phil Mayers wrote:
> On 21/07/2014 09:49, Herwin Weststrate wrote:
> 
>> Has anyone ever tried something like this and got the setup working?
> 
> I haven't tried it, but there's no fundamental reason it wouldn't work.
> Can you post a debug i.e. "radiusd -X | tee log" of a failing case?

I've got one at
https://gist.github.com/qnet-herwin/ca4b8a7f1d279bffc5c7, but there's
not that much information it gives. Starting at line 2052, it tries to
send a packet to 10.101.0.227 (which is an NPS) an receives an
Access-Reject. There is nothing interesting happening before, and
afterwards it behaves like it should when receiving an Access-Reject.

In case someone is wondering about the unspecified Vendor Specific
Attributes: the are sometimes sent by HP devices, see
https://www.mail-archive.com/radiator@open.com.au/msg16094.html The
behaviour doesn't change when a different Access Point is used.

The exact error message in Active Directory is "Authentication failed
due to a user credentials mismatch. Either the user name provided does
not map to an existing user account or the password was incorrect."

-- 
Herwin Weststrate



More information about the Freeradius-Users mailing list