The connection is not refused. these logs are of a successful session. I did not post logs of a refused connection because this is not a free radius server. If you have no infomration about something non std with the way Free radius proxy MA CHAP v2 then I will continue to investigate in other directions.
Alan DeKok-2 wrote: > > SagiBarOr wrote: >> Sure. Here is the picture again: we are doing EAP-TTLS authnentcation >> with a >> partial proxy. We call it "split authentication". One Freeradius server >> is >> doing the TLS phase and then proxy the MS CHAP v2 portion to a second >> Free >> Radius server. >> This works just fine. >> When we try to do the same when the second server (which does the MS CHAP >> v2 >> authentication) is not Free Radius, but rather MS NPS or Cisco ACS - the >> authentication fails. The connection is refused becasue of bad username >> or >> pwd. > > The debug logs you posted show no such reject. > >> My question to the forum: although thesystem with 2 FR servers works >> fine, >> can it be that there an issue with the MS CHAP v2 proxy, and only becasue >> the second radius is also Free radius, then it tolarates it? > > My $0.02 is that FreeRADIUS implements the specs correctly. It > proxies MS-CHAP as MS-CHAP, without any butchering of the packets. > >> I know it is a weird request to look for somthing non std or wrong in >> logs >> of a susscessful session, but I still try my luck. Any lead can help. > > This disagrees with what you said earlier. If the connection is > refused, you should not see a successful session. > > Which one is it? > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > -- View this message in context: http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29296159.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
