On 24/03/2012 13:13, Alan Buxey wrote:
Hi,
there was never any more on this thread, so just to add some final info
Now, for whatever reason, the Windows box decides to discard some
requests. Unfortunately, the error reporting is pretty weak
("discarding invalid request"). Our Windows guys are digging into
this. It seems to be client specific, we suspect something with our
recently changed certificate.
I don't see how. Normal RADIUS doesn't use certificates.
And if your home server *randomly* discards requests, then your
priority should be to fix that. No amount of poking FreeRADIUS will
make the home server magically work. No amount of poking FreeRADIUS
will work around the fact that the home server is broken.
Microsoft decided, in their wisdom, to just discard packets that arent right.
this affects IAS and NPS. if your policy says, for example,
NAS-Port-Type = Wireless-802.11
an the packet doesnt have that attribute...or its not Wireless-802.11..then the
packet
is just silently dropped. the RADIUS proxies throughout the proxy chain then
think the server is dead.... status-server kicks in.... oh, guess what. they
dont support
that, so it stays marked dead. the remote proxies might be lucky...as their
status-server will be answered by the proxy above them...which, if its
FreeRADIUS
or RADIATOR *will* respond in some way to show they are alive.
IAS and NPS are a mess with proxied RADIUS - especially when there are policies
involved.
Further to what Alan says above IAS/NPS can report "invalid request" if it
contains an attribute not in their dictionaries, or an attribute where the
value does not match the type in their dictionaries.
As NPS and IAS dictionaries are old, don't match the RFCs, and it seems MS
never update the dictionaries, this means NPS and IAS discard a lot of
valid packets!
If you are proxying to IAS or NPS, filter the attributes very carefully
before they hit the MS radius servers.
Regards,
James
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
