Dear Community, we are facing a problem in our EAP-PEAP(MS-CHAPv2) environment with wrong 'access-reject' messages. The infrastructure is as follows: RADIUS-Requests are proxied by a radsecproxy to our two radiator servers. The radiator servers are the final authentication server and are connected to a Windows AD as user database. The clients are connecting to the network with username+pw, which works fine. A problem occurs, when the network connection between one radiator and Domain Controller is not working, hence no user database is available for the one radiator. In the logs we see the following messages:
Sat Mar 21 11:30:37 2019: WARNING: NTLM Could not authenticate user 'USER': No logon servers Sat Mar 21 11:30:37 2019: INFO: Accounting: User: USER AuthBy; authby-withoutrealm, OriginalUserName: USER, NAS-IP-Address: 1.2.3.4, NAS-Identifier: eduroam, NAS-Port: 0, Calling-Station-Id: AABBCC112233, Form-Station-Id: 11:22:33:AA:BB:CC, Result: 1, Result String: EAP MSCHAP-V2 Authentication failure This message is send as an 'access-reject' to the radsecproxy and client. Which is a legitim radius message for all network devices, even though this should not happen. At this point, the radsecproxy sees no reason to failover upcoming authentication-requests to the second radiator, which works fine with the DCs. Is there any possibility, not to send an access-reject, and let the radsecproxy timeout this radiator? Thanks for your help. Regards, Lukas Bielinski -- Lukas Bielinski Competence Center LAN (CC-LAN) Fraunhofer-Gesellschaft e.V. Fraunhoferstr. 5 | 64283 Darmstadt | Germany Tel +49 6151 155-349 [email protected] | www.fraunhofer.de _______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
