FreeRadius proxy to MS-NPS for MSCHAPv2 authentication.

Jan Hugo Prins jhp at
Wed May 16 13:16:18 CEST 2012

Hi Alan,
>   Possibly.  However, not all packets will contain such a username.
> They might by "anonymous".
>   As always, read the debug output to be sure.
So, far all the packets going from the radius server to the DC contain
the user-name and the packets coming from the Aruba to the radius server
also contain the username, so that seems to be ok for now.

>> If this is going to work my next problem is adding some things to
>> access-accept replies. I need to add:
>> Aruba-User-Vlan = <vlanid>
>> Aruba-User-Role = <authenticated-role>
>   That's what the "post-proxy" section is for.  Add the attributes there.
I found this and it indeed seems to work.

>   Operator-Name.  It's a standard attribute that MS doesn't understand
> properly.  The solution is to (a) not proxy it, or (b) update the MS
> dictionaries.
I haven't seen this attribute yet, but I will keep my eye open for it.

The problem I'm now facing is that I don't seem to get any
authentication working. When I use radtest to test the whole radius
setup from radius server to DC I get the following which looks ok to me:

[root at radius01 ~]# radtest -x -t mschap user01 at poc.domain.fqdn xxxxxxxx 1812 aixiYax2Vee8pho0
Sending Access-Request of id 241 to port 1812
        User-Name = "user01 at poc.domain.fqdn"
        NAS-IP-Address =
        NAS-Port = 1812
        MS-CHAP-Challenge = 0x57c171011e737fa4
        MS-CHAP-Response =
rad_recv: Access-Accept packet from host port 1812, id=241,
        Aruba-User-Vlan = 2268
        Aruba-User-Role = "authenticated"
        Class =
        MS-CHAP-MPPE-Keys =
        MS-CHAP-Domain = "\000POC"
        MS-Link-Utilization-Threshold = 50
        MS-Link-Drop-Time-Limit = 120

But when I try to do the same from my laptop trying to do 802.1x through
the Aruba it works fine authenticating directly to my radius server /
openldap combination but proxying to the AD fails. I have attached the
logfiles of the radius server.

On the AD I get an error in the eventlog telling the folloing:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          5/16/2012 12:53:50 PM
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

    Security ID:            POC\user01
    Account Name:            user01 at poc.domain2.fqdn
    Account Domain:            POC
    Fully Qualified Account Name:    POC\user01

Client Machine:
    Security ID:            NULL SID
    Account Name:            -
    Fully Qualified Account Name:    -
    OS-Version:            -
    Called Station Identifier:        -
    Calling Station Identifier:        -

    NAS IPv4 Address:
    NAS IPv6 Address:        -
    NAS Identifier:  
    NAS Port-Type:            -
    NAS Port:            -

RADIUS Client:
    Client Friendly Name:        Radius01
    Client IP Address:  

Authentication Details:
    Connection Request Policy Name:    Use Windows authentication for
all users
    Network Policy Name:        Aruba authentication
    Authentication Provider:        Windows
    Authentication Server:        DC01.poc.domain2.fqdn
    Authentication Type:        EAP
    EAP Type:            -
    Account Session Identifier:        -
    Reason Code:            1
    Reason:                An internal error occurred. Check the system
event log for additional information.

Does anyone have an idea what problem I'm facing here?

Jan Hugo Prins

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: radiusd.log
URL: <>

More information about the Freeradius-Users mailing list