SV: FR proxy to ACS and NPS with MS CHAP v2
Alan DeKok
aland at deployingradius.com
Tue Oct 12 16:27:14 CEST 2010
sbaror wrote:
> In our design we don't use Samba because the server which performs auth with
> the AD is the NPS.
OK.
> Are you suggesting that the FR server needs to have
> Samaba when doing the MS CHAP v2 proxy to NPS?
No.
> Our design:
> 1) Protocol is EAP-TTLS with inner MA CHAP v2
> 2) FR server authenticate the TLS part
> 3) FR proxies the MS CHAP Authentication to NPS
> 4) NPS performs the MS CHAP v2 auth.
Do "divide and conquer" to find the problem:
1) Does EAP-TTLS/MS-CHAP work when you define the user locally in the
"users" file? i.e. *not* proxying?
2) does MS-CHAP work when you use "radclient" to send a request from the
proxy? (use 2.1.10 for this)
3) Does EAP-TTLS/PAP work when you do proxying to NPS?
The system includes a lot of moving parts. Narrow down the problem to
the part that's broken.
Alan DeKok.
More information about the Freeradius-Users
mailing list