FreeRadius proxy to MS-NPS for MSCHAPv2 authentication.

Phil Mayers p.mayers at
Wed May 16 14:13:47 CEST 2012

On 16/05/12 12:16, Jan Hugo Prins wrote:
> Does anyone have an idea what problem I'm facing here?

Wild guess - set "copy_request_to_tunnel = yes" on your EAP method(s).

The outer packets contain (amongst others):

	NAS-Port-Type = Wireless-802.11
	Calling-Station-Id = "0023144E6060"
	Called-Station-Id = "000B866DB51C"
	Service-Type = Login-User
	Framed-MTU = 1100
	Aruba-Essid-Name = "BBTest"
	Aruba-Location-Id = "d8:c7:c8:cb:67:0a"
	Aruba-Attr-10 = 0x544330332d566c6f657232

Since you don't have "copy_request_to_tunnel" set, the inner, and thus 
proxied, packets don't have these attributes.

 From experience, NPS policies tend to match on these. Either configure 
FreeRADIUS to send these attributes (by copying the from outer to inner) 
or change your NPS policies to not look for them.

More information about the Freeradius-Users mailing list