sbaror wrote:
In our design we don't use Samba because the server which performs auth with the AD is the NPS.
OK.
Are you suggesting that the FR server needs to have Samaba when doing the MS CHAP v2 proxy to NPS?
No.
Our design: 1) Protocol is EAP-TTLS with inner MA CHAP v2 2) FR server authenticate the TLS part 3) FR proxies the MS CHAP Authentication to NPS 4) NPS performs the MS CHAP v2 auth.
Do "divide and conquer" to find the problem: 1) Does EAP-TTLS/MS-CHAP work when you define the user locally in the "users" file? i.e. *not* proxying? 2) does MS-CHAP work when you use "radclient" to send a request from the proxy? (use 2.1.10 for this) 3) Does EAP-TTLS/PAP work when you do proxying to NPS? The system includes a lot of moving parts. Narrow down the problem to the part that's broken. Alan DeKok.