EAP-PEAP with mschap login failed MSCHAP returns reject but we want to send no Reject but Accept with GUEST Vlan AVPs

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 18 14:23:58 CEST 2014

On 18/06/14 13:09, Becker, Alexander wrote:

> When a module (say, mschap with ntlm_auth) returns REJECT because of the
> user is not present in the AD, I want to continue processing the request
> to, let's say, accept the request, but provide an alternative VLAN
> (Tunnel-Id) to the endpoint.

You can't. mschap is a challenge/response protocol. You can't force it 
to succeed without valid authentication data and if you do, the client 
will reject it anyway as the response will be invalid.

You need to look for "fail vlan" support on your NAS.

More information about the Freeradius-Users mailing list