Hey all, Apologies if this is a commonly asked question, I did search and tried to mimic similar attempts. I'm looking to accept eap-mschapv2 auths and proxy only mschapv2 to another RADIUS server, which is set up to authenticate that user and return an Accept or Reject. My understanding is that this is easily accomplishable using FreeRADIUS. I have no prior experience with FreeRADIUS, so excuse any mistakes... This is the output of freeradius -X using RadEapTest on a remote machine, username Administrator. It seems that FreeRadius is attempting to auth the user instead of just proxying it along; this does work when I attempt a PAP connection from that same machine, it gets proxy'd through and auths just fine. Ready to process requests. rad_recv: Access-Request packet from host 172.16.201.10 port 63636, id=0, length=134 User-Name = "Administrator" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020000120141646d696e6973747261746f72 Message-Authenticator = 0x67f16acfd64e0bf55afb823fbc79ce2f # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [eap] EAP packet type response id 0 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 172.16.201.10 port 63636 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd42c15c7d42d0ce1d2efe40d1ce734d1 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.201.10 port 63636, id=1, length=140 User-Name = "Administrator" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02010006031a State = 0xd42c15c7d42d0ce1d2efe40d1ce734d1 Message-Authenticator = 0xe370cdc45d637d5ce7aa63f10cd3fc45 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/mschapv2 [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 172.16.201.10 port 63636 EAP-Message = 0x010200271a0102002210ae3862a5bd6aa644366843b6155ed7d641646d696e6973747261746f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd42c15c7d52e0fe1d2efe40d1ce734d1 Finished request 1. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.201.10 port 63636, id=2, length=206 User-Name = "Administrator" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200481a0202004331268cba76a73d54ea5fb5be72cdcd1b3b000000000000000077ae735bd2f46f781b886e02ff342f798677b30559e5d3830041646d696e6973747261746f72 State = 0xd42c15c7d52e0fe1d2efe40d1ce734d1 Message-Authenticator = 0xe08f96787e24a651d4ae379b44288612 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [eap] EAP packet type response id 2 length 72 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/default [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: Administrator [mschap] Client is using MS-CHAPv2 for Administrator, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> Administrator attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 2 for 1 seconds Going to the next request