SV: FR proxy to ACS and NPS with MS CHAP v2

SagiBarOr at
Thu Jul 29 14:55:49 CEST 2010

The connection is not refused. these logs are of a successful session. 
I did not post logs of a refused connection because this is not a free
radius server. 
If you have no infomration about something non std with the way Free radius
proxy MA CHAP v2 then I will continue to investigate in other directions. 

Alan DeKok-2 wrote:
> SagiBarOr wrote:
>> Sure. Here is the picture again: we are doing EAP-TTLS authnentcation
>> with a
>> partial proxy. We call it "split authentication". One Freeradius server
>> is
>> doing the TLS phase and then proxy the MS CHAP v2 portion to a second
>> Free
>> Radius server. 
>> This works just fine. 
>> When we try to do the same when the second server (which does the MS CHAP
>> v2
>> authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the
>> authentication fails. The connection is refused becasue of bad username
>> or
>> pwd.
>   The debug logs you posted show no such reject.
>> My question to the forum: although thesystem with 2 FR servers works
>> fine,
>> can it be that there an issue with the MS CHAP v2 proxy, and only becasue
>> the second radius is also Free radius, then it tolarates it? 
>   My $0.02 is that FreeRADIUS implements the specs correctly.  It
> proxies MS-CHAP as MS-CHAP, without any butchering of the packets.
>> I know it is a weird request to look for somthing non std or wrong in
>> logs
>> of a susscessful session, but I still try my luck. Any lead can help. 
>   This disagrees with what you said earlier.  If the connection is
> refused, you should not see a successful session.
>   Which one is it?
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

View this message in context:
Sent from the FreeRadius - User mailing list archive at

More information about the Freeradius-Users mailing list