Remote users - proxying fails - NPS timeout

John Horne john.horne at plymouth.ac.uk
Mon Aug 21 11:57:27 CEST 2017


On Sat, 2017-08-19 at 17:45 +0100, Alan Buxey wrote:
> Same offer here. Initial thought is handling of some attribute. Best thing
> to do is ensure you're calling attribute filter for all packets destined to
> NPS to strip them down to bare essentials (ie the minimum EAP contents for
> NPS to do its job with no other attrs present).
>
Hello,

Thanks to both Alan's for the replies.

I will look again at the filtering. Comparing the radius packets sent to a
failed user authentication and one that did authenticate, showed no difference
in the attribute names but obviously the values were different. The values in
both looked okay though.

At the moment I'm keeping an eye on the network interface to see if packets are
being dropped. I assume this would cause either end (FreeRADIUS and NPS) to
timeout the proxied request! Again, not sure why it should suddenly happen when
version 3.0.15 is used though. Probably a red-herring.

We logged a support request with Microsoft last Friday. My colleague is dealing
with that as I have nothing to do with Microsoft. (He's one of our MS server
sysadmins, and I'm the Linux sysadmin.) Anyway, we'll see what they say.

> I assume you're sending the EAP onward to NPS and not terminating EAP on FR
> and only sending inner Auth to NPS?
>
Correct. The whole EAP request is proxied, not just the inner part.



John.

--
John Horne | Senior Operations Analyst | Technology and Information Services
University of Plymouth | Drake Circus | Plymouth | Devon | PL4 8AA | UK
________________________________
[http://www.plymouth.ac.uk/images/email_footer.gif]<http://www.plymouth.ac.uk/worldclass>

This email and any files with it are confidential and intended solely for the use of the recipient to whom it is addressed. If you are not the intended recipient then copying, distribution or other use of the information contained is strictly prohibited and you should not rely on it. If you have received this email in error please let the sender know immediately and delete it from your system(s). Internet emails are not necessarily secure. While we take every care, Plymouth University accepts no responsibility for viruses and it is your responsibility to scan emails and their attachments. Plymouth University does not accept responsibility for any changes made after it was sent. Nothing in this email or its attachments constitutes an order for goods or services unless accompanied by an official order form.



More information about the Freeradius-Users mailing list