Proxying PAP to PEAP-MSCHAP-V2

Xand Meaden xand.meaden at
Fri Sep 4 21:10:06 CEST 2020

On 04/09/2020 16:51, Martin Pauly wrote:
> Am 02.09.20 um 10:55 schrieb Xand Meaden via Freeradius-Users:
>> NPS RADIUS servers which are configured to only support PEAP-MSCHAP-V2
> The NPS surely is a member of a windows domain, right?
> If the admins of that domain allowed your FR as a member
> (i.e. a samba instance on your server), you could feed the passwords
> directly to mschap/ntlm_auth. This _might_ increase performance over
> external wpa_supplicant or eapol_test as using this functionality
> no longer requires spawning an external process.
> But extending an AD domain like that may pose security issues of its own.
Thanks - we've been using AD for authentication directly, but are
looking to switch to the NPS server as it's tied into a multi-factor
authentication system used by other systems. From Alan's suggestion I've
got something working using the FreeRADIUS Python module and eapol_test
but I'm not completely happy with how it's cobbled together :)


Xand Meaden | Senior Linux Engineer
Faculty of Natural & Mathematical Sciences
King's College London

More information about the Freeradius-Users mailing list