FreeRadius proxy to MS-NPS for MSCHAPv2 authentication.

Alan DeKok aland at
Sat May 12 09:36:41 CEST 2012

Jan Hugo Prins wrote:
> Now the next question is our partner that is a full M$ shop. They have a
> Windows ADS environment and all windows users. My first idea was to use
> proxy.conf to proxy all users with a username of user at to the
> MS-NPS server on the Windows ADS. Is this going to work with MSCHAPv2
> authentication? I would expect so.

  Possibly.  However, not all packets will contain such a username.
They might by "anonymous".

  As always, read the debug output to be sure.

> If this is going to work my next problem is adding some things to
> access-accept replies. I need to add:
> Aruba-User-Vlan = <vlanid>
> Aruba-User-Role = <authenticated-role>

  That's what the "post-proxy" section is for.  Add the attributes there.

> The first one is to set the proper VLAN and the second one is to move
> the user to an authenticated role of this M$-Shop.
> Can this be done somewhere in the proxy.conf on the proxy-reply?

  No.  See raddb/sites-available/default, the "post-proxy" section.

> I also read that their are some issues with the radius packets that are
> accepted by the MS-NPS server, with the risk that the packets are
> dropped at the MS-NPS side. Does someone have a overview of what should
> be in the radius packets and what should not be in them?

  Operator-Name.  It's a standard attribute that MS doesn't understand
properly.  The solution is to (a) not proxy it, or (b) update the MS

  Alan DeKok.

More information about the Freeradius-Users mailing list