Freeraius vs NPS

Fri May 5 17:19:29 CEST 2017

On May 5, 2017, at 11:15 AM, Martin, Jeremy <jmartin at emcc.edu> wrote:
> 
> Ok I have figured out what is going on here:
> 
> With NPS when a user account is disabled or the account is set to be rejectged what happens is this:
> 	Radius: Access-Request from switch comes in
> 	Radius: Access-Reject from radius server

  Do you have a PCAP of that happening?  i.e. *just* those RADIUS packets?

  Because that's not the way EAP is supposed to work.  I'd argue that it's explicitly forbidden by the EAP standards.

> So what happens is when a reject is returned without a challenge the end device knows that it needs to prompt for credentials but when the server issues the challenge and then the rejection happens the device does not prompt.  
> 
> So the question now is how can I can configure freeradius to issue a access-reject message without a challenge for disabled users so I can set the initial password in the end device, again with Avaya IP 9608 Phones this is the only way to be prompted for 802.1x credentials?

authorize {
	if (... bad user ...) {
		reject
	}

}

  How you determine "bad user" is up to you.  Typically it's done via an LDAP query.

  You can test this yourself by just rejecting all requests for a particular user.  Then, looking at the debug log to see what the server is doing.

  The post-auth section (in v3 at least) has code to insert an EAP failure if a request is rejected early.  So that should Just Work.

  Alan DeKok.