SV: FR proxy to ACS and NPS with MS CHAP v2

SagiBarOr sagi.bar-or at intel.com
Thu Jul 29 14:39:46 CEST 2010


Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a
partial proxy. We call it "split authentication". One Freeradius server is
doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free
Radius server. 
This works just fine. 
When we try to do the same when the second server (which does the MS CHAP v2
authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the
authentication fails. The connection is refused becasue of bad username or
pwd. 
My question to the forum: although thesystem with 2 FR servers works fine,
can it be that there an issue with the MS CHAP v2 proxy, and only becasue
the second radius is also Free radius, then it tolarates it? 

I know it is a weird request to look for somthing non std or wrong in logs
of a susscessful session, but I still try my luck. Any lead can help. 

Appreciate yuor patience.
Sagi




Alan DeKok-2 wrote:
> 
> SagiBarOr wrote:
>> Here is another pair of logs which may be more focused than the previous
>> pair. It is of the LDAP portion only
> 
>   Could you explain in *simple* terms what you want?  You've been
> posting large debug outputs with little or no explanation.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29296037.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list