Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

Phil Mayers p.mayers at imperial.ac.uk
Fri Jan 25 14:45:35 CET 2013

On 01/25/2013 01:19 PM, Bertalan Voros wrote:
> Hello All,
> Could someone tell me if it is possible to terminate PEAP on a
> freeradius server then proxy the request to an NPS server using MSCHAPv2?

Yes. Simply set "Proxy-To-Realm" in inner-tunnel/authorize, and 
FreeRADIUS will proxy the packets.

server inner-tunnel {
   authorize {
     update control {
       Proxy-To-Realm := NPS

However, personally I would strongly recommend you proxy the inner as 
EAP-MSCHAPv2, rather than using the magic "turn into plain mschapv2" 
code i.e. you *should* set in "eap.conf":

eap {
   peap {
     proxy_tunneled_request_as_eap = yes

If you set this option to "no" the proxied packet will be changed into 
plain MSCHAP, but that code path is complex and has had problems in the 
past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do 

More information about the Freeradius-Users mailing list