Ok I have figured out what is going on here: With NPS when a user account is disabled or the account is set to be rejectged what happens is this: Radius: Access-Request from switch comes in Radius: Access-Reject from radius server The result here is that the phone prompts for credentials Freeradius configured as > user name Auth-Type:=Reject for disabled account Access-Request from switch comes in Access-Challenge from server Access-Request from switch Access-Reject from server So what happens is when a reject is returned without a challenge the end device knows that it needs to prompt for credentials but when the server issues the challenge and then the rejection happens the device does not prompt. So the question now is how can I can configure freeradius to issue a access-reject message without a challenge for disabled users so I can set the initial password in the end device, again with Avaya IP 9608 Phones this is the only way to be prompted for 802.1x credentials? Jeremy -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Friday, May 5, 2017 7:37 AM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Freeraius vs NPS On May 4, 2017, at 11:48 PM, Martin, Jeremy <jmartin@emcc.edu> wrote:
I would like to thank everyone for there time, looks like we are going to have to stick with NPS as it seem to be the product that supports the solution that returns whatever needs to be returned back to the switch. In this particular case though nothing to do with MS-CHAP its all MD5 based.
If it's EAP-MD5, then there is *nothing* in the packets which can cause this behaviour. EAP-MD5 simply doesn't support that functionality. And the packet traces you posted are unhelpful. For one, they contain tons of non-EAP / non-RADIUS traffic. There's no reason to send ARP captures to this list. For two, they contain *both* EAPoL and RADIUS traffic. This doesn't make sense. If you're authenticating an end device, it should NEVER get RADIUS traffic. And the only EAP traffic is Identity request / response packets. And the only RADIUS traffic is Access-Reject. Nothing about that traffic makes any sense whatsoever. Something else is going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html