Hi Phil, Thanks a lot for the quick response.
The reason I was attempting this is because I have to provide a service for roaming users and I was having issues with obtaining a certificate for the NPS server. Does this mean that I could use a self signed certificate for the NPS that is recognized by the freeradius and have a commercial certificate on the freeradius that is then recognized by the clients? So it's kept EAP-MSCHAPv2 all the way. Is this correct? Sorry for the lame questions but I am reasonably new to freeradius have only been using it to blindly proxy requests to the NPS. On 25 January 2013 13:45, Phil Mayers <[email protected]> wrote: > On 01/25/2013 01:19 PM, Bertalan Voros wrote: > >> Hello All, >> >> Could someone tell me if it is possible to terminate PEAP on a >> freeradius server then proxy the request to an NPS server using MSCHAPv2? >> > > Yes. Simply set "Proxy-To-Realm" in inner-tunnel/authorize, and FreeRADIUS > will proxy the packets. > > server inner-tunnel { > authorize { > ... > update control { > Proxy-To-Realm := NPS > } > ... > } > > However, personally I would strongly recommend you proxy the inner as > EAP-MSCHAPv2, rather than using the magic "turn into plain mschapv2" code > i.e. you *should* set in "eap.conf": > > eap { > ... > peap { > ... > proxy_tunneled_request_as_eap = yes > ... > } > } > > If you set this option to "no" the proxied packet will be changed into > plain MSCHAP, but that code path is complex and has had problems in the > past. NPS can handle EAP-MSCHAPv2 just fine, so you shouldn't need to do > this. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/** > list/users.html <http://www.freeradius.org/list/users.html> > -- Bertalan Voros m: 07932858025
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
