Freeraius vs NPS

Martin, Jeremy jmartin at emcc.edu
Fri May 5 17:46:59 CEST 2017


I am attaching them to this email.

Jeremy




-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+jmartin=emcc.edu at lists.freeradius.org] On Behalf Of Alan DeKok
Sent: Friday, May 5, 2017 11:19 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Freeraius vs NPS

On May 5, 2017, at 11:15 AM, Martin, Jeremy <jmartin at emcc.edu> wrote:
> 
> Ok I have figured out what is going on here:
> 
> With NPS when a user account is disabled or the account is set to be rejectged what happens is this:
> 	Radius: Access-Request from switch comes in
> 	Radius: Access-Reject from radius server

  Do you have a PCAP of that happening?  i.e. *just* those RADIUS packets?

  Because that's not the way EAP is supposed to work.  I'd argue that it's explicitly forbidden by the EAP standards.

> So what happens is when a reject is returned without a challenge the end device knows that it needs to prompt for credentials but when the server issues the challenge and then the rejection happens the device does not prompt.  
> 
> So the question now is how can I can configure freeradius to issue a access-reject message without a challenge for disabled users so I can set the initial password in the end device, again with Avaya IP 9608 Phones this is the only way to be prompted for 802.1x credentials?

authorize {
	if (... bad user ...) {
		reject
	}

}

  How you determine "bad user" is up to you.  Typically it's done via an LDAP query.

  You can test this yourself by just rejecting all requests for a particular user.  Then, looking at the debug log to see what the server is doing.

  The post-auth section (in v3 at least) has code to insert an EAP failure if a request is rejected early.  So that should Just Work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeradius-select.pcapng
Type: application/octet-stream
Size: 1104 bytes
Desc: freeradius-select.pcapng
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170505/c79f0853/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nps-select.pcapng
Type: application/octet-stream
Size: 712 bytes
Desc: nps-select.pcapng
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170505/c79f0853/attachment-0001.obj>


More information about the Freeradius-Users mailing list