Jan Hugo Prins wrote:
Now the next question is our partner that is a full M$ shop. They have a Windows ADS environment and all windows users. My first idea was to use proxy.conf to proxy all users with a username of user@domain.com to the MS-NPS server on the Windows ADS. Is this going to work with MSCHAPv2 authentication? I would expect so.
Possibly. However, not all packets will contain such a username. They might by "anonymous". As always, read the debug output to be sure.
If this is going to work my next problem is adding some things to access-accept replies. I need to add: Aruba-User-Vlan = <vlanid> Aruba-User-Role = <authenticated-role>
That's what the "post-proxy" section is for. Add the attributes there.
The first one is to set the proper VLAN and the second one is to move the user to an authenticated role of this M$-Shop.
Can this be done somewhere in the proxy.conf on the proxy-reply?
No. See raddb/sites-available/default, the "post-proxy" section.
I also read that their are some issues with the radius packets that are accepted by the MS-NPS server, with the risk that the packets are dropped at the MS-NPS side. Does someone have a overview of what should be in the radius packets and what should not be in them?
Operator-Name. It's a standard attribute that MS doesn't understand properly. The solution is to (a) not proxy it, or (b) update the MS dictionaries. Alan DeKok.