On May 5, 2017, at 11:15 AM, Martin, Jeremy <jmartin@emcc.edu> wrote:
Ok I have figured out what is going on here:
With NPS when a user account is disabled or the account is set to be rejectged what happens is this: Radius: Access-Request from switch comes in Radius: Access-Reject from radius server
Do you have a PCAP of that happening? i.e. *just* those RADIUS packets? Because that's not the way EAP is supposed to work. I'd argue that it's explicitly forbidden by the EAP standards.
So what happens is when a reject is returned without a challenge the end device knows that it needs to prompt for credentials but when the server issues the challenge and then the rejection happens the device does not prompt.
So the question now is how can I can configure freeradius to issue a access-reject message without a challenge for disabled users so I can set the initial password in the end device, again with Avaya IP 9608 Phones this is the only way to be prompted for 802.1x credentials?
authorize { if (... bad user ...) { reject } } How you determine "bad user" is up to you. Typically it's done via an LDAP query. You can test this yourself by just rejecting all requests for a particular user. Then, looking at the debug log to see what the server is doing. The post-auth section (in v3 at least) has code to insert an EAP failure if a request is rejected early. So that should Just Work. Alan DeKok.