Thanks Phil. 
I am still not clear.. I just want to proxy the host authentication request to the actual RADIUS server which is Microsoft AD. In such cases what configuration is required on proxy server? Can it be done? 
 
Well I mentioned realm type as IPASS  as IPASS type is of format realm/username as mentioned in modules/realm file. 

Hence forth I will post full logs.

Thanks,
Chidanand


On Wed, Oct 20, 2010 at 7:47 PM, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 20/10/10 12:22, Chidanand Gangur wrote:
Hi,

I have following setup

where windows host  is connected to Cisco 2960  which is connected to
Microsoft AD via RADIUS proxy

Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)

In the above setup user authentication goes fine. I am using PEAP v1
authentication.

I am struggling hard to make host authentication successful.

When the machine boots I see radius Access-Request with User-Name =
"host/radhost1.testad1.com" which
qualifies to IPASS type realm and searches for realm as "host" and
things do not work.

No - it's not an IPASS realm. You need to disable the IPASS module.

host/machine.domain.com

corresponds to:

DOMAIN\machine$

i.e. the machine account.

The "mschap" module can expand this, for example if you have the "ntlm_auth" helper to authenticate MS-CHAP against a windows domain using samba as a helper:

ntlm_auth = "... --username=%{mschap:User-Name} ..."

...will do the right thing.



Please point me to links/docs or give me pointer where/how to start.

Post the full debug output, not an edited version.


Wed Oct 20 07:27:48 2010 : Info: [eap] EAP Identity
Wed Oct 20 07:27:48 2010 : Info: [eap] processing type md5
Wed Oct 20 07:27:48 2010 : Debug: rlm_eap_md5: Issuing Challenge

This is EAP-MD5. You have not configured your windows client correctly. Configure it correctly for PEAP/MS-CHAP.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



--
Chidanand Gangur
Pune.