Proxy based on auth type?

Bertalan Voros bertalan.voros at
Fri Feb 1 13:48:34 CET 2013

Hello All,

Another lame ass question.

Is it possible to proxy requests based on Auth-Type?

I now have a config which terminates PEAP locally and proxies through the
inner-tunnel to an NPS using MSCHAP.
This was my original goal.

However, when I do a radtest to check what happens to an mschap request it
fails locally instead of being proxied.
There is a combination of peap and mschap requests coming to the server.

If I uncomment suffix in sites-enabled/default then it's reversed, mschap
gets proxied but PEAP requests doesn't get sent through the inner tunnel.

In proxy.conf I have the DEFAULT realm set to our NPS and have nostrip set
for each entry in clients.conf.
The reason for this is that in the AD we have the user's email set as UPN
and there are hundreds of email domains in use, the users's AD username
cannot be determined based on the email address.

Output of debug mode when plain mschap fails:

*Ready to process requests.*
*rad_recv: Access-Request packet from host port 54292, id=242,
*        User-Name = "bertalan.voros at"*
*        NAS-IP-Address = x.x.x.x*
*        NAS-Port = 0*
*        Message-Authenticator = 0x8402c1883262ac3e5a71b538490e1082*
*        MS-CHAP-Challenge = 0x9580349e1047ab7c*
*        MS-CHAP-Response =
*# Executing section authorize from file /etc/raddb/sites-enabled/default*
*+- entering group authorize {...}*
*++[preprocess] returns ok*
*[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'*
*++[mschap] returns ok*
*[eap] No EAP-Message, not doing EAP*
*++[eap] returns noop*
*Found Auth-Type = MSCHAP*
*# Executing group from file /etc/raddb/sites-enabled/default*
*+- entering group MS-CHAP {...}*
*[mschap] No Cleartext-Password configured.  Cannot create LM-Password.*
*[mschap] No Cleartext-Password configured.  Cannot create NT-Password.*
*[mschap] Told to do MS-CHAPv1 with NT-Password*
*[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.*
*[mschap] MS-CHAP-Response is incorrect.*
*++[mschap] returns reject*
*Failed to authenticate the user.*
*Login incorrect: [bertalan.voros****] (from client CiscoAP
port 0)*
*Using Post-Auth-Type Reject*
*# Executing group from file /etc/raddb/sites-enabled/default*
*+- entering group REJECT {...}*
*[attr_filter.access_reject]     expand: %{User-Name} -> bertalan.voros**@*
*attr_filter: Matched entry DEFAULT at line 11*
*++[attr_filter.access_reject] returns updated*
*Delaying reject of request 11 for 1 seconds*
*Going to the next request*
*Waking up in 0.9 seconds.*
*Sending delayed reject for request 11*
*Sending Access-Reject of id 242 to port 54292*
*        MS-CHAP-Error = "\000E=691 R=1"*
*Waking up in 4.9 seconds.*
*Cleaning up request 11 ID 242 with timestamp +13*
*Ready to process requests.*

Your help will be appreciated,

Bertalan Voros
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list