Hello! I faced a strange problem while setting up PEAP/TLS with FreeRADIUS as a Proxy for Windows NPS (2012R). Wireless Client -->> AccessPoint -->> FreeRADIUS -->> NPS (iOS,Android,Win) Cisco/Motorola/Unifi Ubuntu 16.04 Win2012R FreeRADIUS is set up and waiting for requests. When Wireless Client is trying to authenticate it seems FreeRADIUS tries to proxy request to NPS Request/Challenges begins and sometimes the process stucks in this exchange sometimes NPS and subsequently FreeRADIUS Access-Accepts and authenticates user. I supply relevant FreeRADIUS logs and I'm ready to provide configs and so on. May you help me to understand what's wrong with me? The impression FreeRADIUS interprets some packets incorrectly. The matter I think is in my settings which is got from numerous articles from Internet. FreeRADIUS Version 2.2.8 /etc/freeradius/sites-available/default: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ authorize { chap mschap digest ntdomain eap { ok = return } if ( ! (realm == "ponyex.local") ) { files if (noop) { sql if (notfound) { update control { Proxy-To-Realm := "ponyex.local" } } } } expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } pre-proxy { update proxy-request { Connect-Info := "This is a Friendly-Name" } } /etc/freeradius/proxy.conf: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ home_server nps { type = auth ipaddr = 10.0.0.179 port = 1812 secret = *************************** require_message_authenticator = yes response_window = 20 zombie_period = 40 revive_interval = 120 status_check = request username = "test_user_please_reject_me" password = "this is really secret" num_answers_to_alive = 3 max_outstanding = 65536 } home_server_pool ponyex_pool { type = fail-over home_server = nps } realm ponyex.local { auth_pool = ponyex_pool nostrip } /etc/freeradius/eap.conf: ~~~~~~~~~~~~~~~~~~~~~~~~~ eap { default_eap_type = tls peap timer_expire = 60 tls { # Domains Cert/Key private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.crt CA_file = ${cadir}/ca.crt } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no virtual_server = "inner-tunnel" } mschapv2 { } /etc/freeradius/modules/mschap: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes } /etc/freeradius/modules/realm: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } Kind regards, Ellad