Hi,
Our design: 1) Protocol is EAP-TTLS with inner MA CHAP v2 2) FR server authenticate the TLS part 3) FR proxies the MS CHAP Authentication to NPS 4) NPS performs the MS CHAP v2 auth.
yes, this is feasible note this will break when clients start to check the end of the tunnel is the same (cyptobinding TLV) - this may become common. 1 and 2 will just work with the main outer tunnel and default config 3) you need to configure the EAP and inner tunnel to proxy the request to the remote server - at which point it will be a naked MSCHAPv2 going to the NPS 4) the NPS will do its work...so long as shared secrets are correct, note, theres lots of other bits that need to be right - eg the users entry in the NPS AD needs to be correct - remote dial-in connection enabled. the FR - NPS stuff that you talk about is basic bread and butter stuff. alan