Terminate PEAP on freeradius then proxy MSCHAPv2 to NPS

Bertalan Voros bertalan.voros at gmail.com
Fri Jan 25 15:15:41 CET 2013

Hi Phil,

Thanks a lot for the quick response.

The reason I was attempting this is because I have to provide a service for
roaming users and I was having issues with obtaining a certificate for the
NPS server.

Does this mean that I could use a self signed certificate for the NPS that
is recognized by the freeradius and have a commercial certificate on the
freeradius that is then recognized by the clients?
So it's kept EAP-MSCHAPv2 all the way.

Is this correct?

Sorry for the lame questions but I am reasonably new to freeradius have
only been using it to blindly proxy requests to the NPS.

On 25 January 2013 13:45, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 01/25/2013 01:19 PM, Bertalan Voros wrote:
>> Hello All,
>> Could someone tell me if it is possible to terminate PEAP on a
>> freeradius server then proxy the request to an NPS server using MSCHAPv2?
> Yes. Simply set "Proxy-To-Realm" in inner-tunnel/authorize, and FreeRADIUS
> will proxy the packets.
> server inner-tunnel {
>   authorize {
>     ...
>     update control {
>       Proxy-To-Realm := NPS
>     }
>     ...
>   }
> However, personally I would strongly recommend you proxy the inner as
> EAP-MSCHAPv2, rather than using the magic "turn into plain mschapv2" code
> i.e. you *should* set in "eap.conf":
> eap {
>   ...
>   peap {
>     ...
>     proxy_tunneled_request_as_eap = yes
>     ...
>   }
> }
> If you set this option to "no" the proxied packet will be changed into
> plain MSCHAP, but that code path is complex and has had problems in the
> past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do
> this.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/**
> list/users.html <http://www.freeradius.org/list/users.html>

Bertalan Voros
m: 07932858025
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130125/a4025019/attachment.html>

More information about the Freeradius-Users mailing list