Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

[Phil Mayers]

On 01/25/2013 01:19 PM, Bertalan Voros wrote:
> Hello All,
>
> Could someone tell me if it is possible to terminate PEAP on a
> freeradius server then proxy the request to an NPS server using MSCHAPv2?

Yes. Simply set "Proxy-To-Realm" in inner-tunnel/authorize, and 
FreeRADIUS will proxy the packets.

server inner-tunnel {
   authorize {
     ...
     update control {
       Proxy-To-Realm := NPS
     }
     ...
   }

However, personally I would strongly recommend you proxy the inner as 
EAP-MSCHAPv2, rather than using the magic "turn into plain mschapv2" 
code i.e. you *should* set in "eap.conf":

eap {
   ...
   peap {
     ...
     proxy_tunneled_request_as_eap = yes
     ...
   }
}

If you set this option to "no" the proxied packet will be changed into 
plain MSCHAP, but that code path is complex and has had problems in the 
past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do 
this.