SV: FR proxy to ACS and NPS with MS CHAP v2

[SagiBarOr]

The connection is not refused. these logs are of a successful session. 
I did not post logs of a refused connection because this is not a free
radius server. 
If you have no infomration about something non std with the way Free radius
proxy MA CHAP v2 then I will continue to investigate in other directions. 



Alan DeKok-2 wrote:
> 
> SagiBarOr wrote:
>> Sure. Here is the picture again: we are doing EAP-TTLS authnentcation
>> with a
>> partial proxy. We call it "split authentication". One Freeradius server
>> is
>> doing the TLS phase and then proxy the MS CHAP v2 portion to a second
>> Free
>> Radius server. 
>> This works just fine. 
>> When we try to do the same when the second server (which does the MS CHAP
>> v2
>> authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the
>> authentication fails. The connection is refused becasue of bad username
>> or
>> pwd.
> 
>   The debug logs you posted show no such reject.
> 
>> My question to the forum: although thesystem with 2 FR servers works
>> fine,
>> can it be that there an issue with the MS CHAP v2 proxy, and only becasue
>> the second radius is also Free radius, then it tolarates it? 
> 
>   My $0.02 is that FreeRADIUS implements the specs correctly.  It
> proxies MS-CHAP as MS-CHAP, without any butchering of the packets.
> 
>> I know it is a weird request to look for somthing non std or wrong in
>> logs
>> of a susscessful session, but I still try my luck. Any lead can help. 
> 
>   This disagrees with what you said earlier.  If the connection is
> refused, you should not see a successful session.
> 
>   Which one is it?
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

-- 
View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29296159.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.