Freeraius vs NPS
jmartin at emcc.edu
Fri May 5 17:15:02 CEST 2017
Ok I have figured out what is going on here:
With NPS when a user account is disabled or the account is set to be rejectged what happens is this:
Radius: Access-Request from switch comes in
Radius: Access-Reject from radius server
The result here is that the phone prompts for credentials
Freeradius configured as > user name Auth-Type:=Reject for disabled account
Access-Request from switch comes in
Access-Challenge from server
Access-Request from switch
Access-Reject from server
So what happens is when a reject is returned without a challenge the end device knows that it needs to prompt for credentials but when the server issues the challenge and then the rejection happens the device does not prompt.
So the question now is how can I can configure freeradius to issue a access-reject message without a challenge for disabled users so I can set the initial password in the end device, again with Avaya IP 9608 Phones this is the only way to be prompted for 802.1x credentials?
From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, May 5, 2017 7:37 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Freeraius vs NPS
On May 4, 2017, at 11:48 PM, Martin, Jeremy <jmartin at emcc.edu> wrote:
> I would like to thank everyone for there time, looks like we are going to have to stick with NPS as it seem to be the product that supports the solution that returns whatever needs to be returned back to the switch. In this particular case though nothing to do with MS-CHAP its all MD5 based.
If it's EAP-MD5, then there is *nothing* in the packets which can cause this behaviour. EAP-MD5 simply doesn't support that functionality.
And the packet traces you posted are unhelpful. For one, they contain tons of non-EAP / non-RADIUS traffic. There's no reason to send ARP captures to this list.
For two, they contain *both* EAPoL and RADIUS traffic. This doesn't make sense. If you're authenticating an end device, it should NEVER get RADIUS traffic.
And the only EAP traffic is Identity request / response packets. And the only RADIUS traffic is Access-Reject.
Nothing about that traffic makes any sense whatsoever.
Something else is going on.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users