Freeraius vs NPS

Martin, Jeremy jmartin at
Fri May 5 17:15:02 CEST 2017

Ok I have figured out what is going on here:

With NPS when a user account is disabled or the account is set to be rejectged what happens is this:
	Radius: Access-Request from switch comes in
	Radius: Access-Reject from radius server

    The result here is that the phone prompts for credentials

Freeradius configured as > user name      Auth-Type:=Reject   for disabled account
	Access-Request from switch comes in
	Access-Challenge from server
	Access-Request from switch
	Access-Reject from server

So what happens is when a reject is returned without a challenge the end device knows that it needs to prompt for credentials but when the server issues the challenge and then the rejection happens the device does not prompt.  

So the question now is how can I can configure freeradius to issue a access-reject message without a challenge for disabled users so I can set the initial password in the end device, again with Avaya IP 9608 Phones this is the only way to be prompted for 802.1x credentials?


-----Original Message-----
From: Freeradius-Users [ at] On Behalf Of Alan DeKok
Sent: Friday, May 5, 2017 7:37 AM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Freeraius vs NPS

On May 4, 2017, at 11:48 PM, Martin, Jeremy <jmartin at> wrote:
> I would like to thank everyone for there time, looks like we are going to have to stick with NPS as it seem to be the product that supports the solution that returns whatever needs to be returned back to the switch.  In this particular case though nothing to do with MS-CHAP its all MD5 based.

  If it's EAP-MD5, then there is *nothing* in the packets which can cause this behaviour.  EAP-MD5 simply doesn't support that functionality.

  And the packet traces you posted are unhelpful.  For one, they contain tons of non-EAP / non-RADIUS traffic.  There's no reason to send ARP captures to this list.

  For two, they contain *both* EAPoL and RADIUS traffic.  This doesn't make sense.  If you're authenticating an end device, it should NEVER get RADIUS traffic.

  And the only EAP traffic is Identity request / response packets.  And the only RADIUS traffic is Access-Reject.

  Nothing about that traffic makes any sense whatsoever.

  Something else is going on.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list