FR3.x - EAP proxy - EAP-TLS to MS NPS trouble

Alan DeKok aland at
Wed Jun 28 19:47:15 CEST 2017

On Jun 28, 2017, at 5:07 AM, Kylián Martin <kylianm at> wrote:
> I use freeradius for mac authentication bypass and as proxy for EAP. Specifically, an EAP-TLS that is routed to one of the MS NPS servers.
> I run the production environment on debian8 and FreeRadius 2.2.5, where everything works as it should.
> There is a problem I can not solve on the FreeRadius 3.0.12 (deb9) test server.
> After forwarding the access-request to the AD server, the request is not processed on the MS NPS server (w2012r2):
> Reason Code: 3
> Reason: The RADIUS Request message that the Network Policy Server received from the network access server was malformed.

  That shouldn't happen.  FreeRADIUS always produces correct packets, and we have a lot of tests to ensure it always produces correct packets.

> NPS discards this request and does not respond.
> When I look at access-request with wireshark, I do not see any problem.

  Then NPS is broken.  Not surprising...

> (Message-authenticator is different from that sent by the client and which sends FreeRadius to NPS and Proxy-State added.)

  That's fine.

> The same configuration with FR2.2.5 is parsed on NPS and is responded.

  Do you have samples of the packets sent by 2.2.5 to NPS?  How are they different from the ones sent by version 3?

> Is there something I've overlooked when migrating to FR3? Is anyone running a similar configuration? I am doing something wrong?

  FR works.  If Wireshark thinks the packets are fine, that's another vote for FR being OK.

  As usual, I think NPS is broken.

  Alan DeKok.

More information about the Freeradius-Users mailing list