FreeRadius proxy to MS-NPS for MSCHAPv2 authentication.

Jan Hugo Prins jhp at
Fri May 11 23:20:26 CEST 2012


This last week I have been setting up my Aruba environment
authenticating users that are in OpenLDAP and all have a Windows
Password etc. This installation worked straight out of the box and the
part that took most of the time was making a clean setup that I can copy
paste to other installations etc and getting to know unlang. So far so

Now the next question is our partner that is a full M$ shop. They have a
Windows ADS environment and all windows users. My first idea was to use
proxy.conf to proxy all users with a username of user at to the
MS-NPS server on the Windows ADS. Is this going to work with MSCHAPv2
authentication? I would expect so.

If this is going to work my next problem is adding some things to
access-accept replies. I need to add:
Aruba-User-Vlan = <vlanid>
Aruba-User-Role = <authenticated-role>

The first one is to set the proper VLAN and the second one is to move
the user to an authenticated role of this M$-Shop.

Can this be done somewhere in the proxy.conf on the proxy-reply?

I really  don't want to install Samba on the FreeRadius server and make
it authenticate to the ADS, this is because it doesn't scale on the long
run if you need to authenticate to more then one ADS environment.

I also read that their are some issues with the radius packets that are
accepted by the MS-NPS server, with the risk that the packets are
dropped at the MS-NPS side. Does someone have a overview of what should
be in the radius packets and what should not be in them?

Thanks a lot,
Jan Hugo Prins

More information about the Freeradius-Users mailing list