Hi James - As mentioned previously, we will need to see a copy of the Radiator configuration file (no secrets) together with a trace 4 debug showing what is happening.
And you should check the NPS logs of course to see what is happening at that end. In the case of the University, we were handling the EAP conversation on the Radiator side, and only proxying the inner MS-CHAP authentication. Unfortunately, NPS considers MS-CHAP authentications to be for people, not machines, so for the machines we had to proxy the entire EAP conversation. hope that helps regards Hugh On 15 Oct 2012, at 16:37, James Zee <[email protected]> wrote: > It is indeed NPS sending Radiator an ACCESS-REJECT. > > I know this is completely non-Radiator related, but do you happen to remember > what had to be done on NPS to get this to work? I've been tinkering for hours > without success. > > For the record, proxying to NPS works *much* better than ntlm_auth in our > extremely unstable AD environment. > > -james > > > On Fri, Oct 12, 2012 at 2:32 AM, Hugh Irvine <[email protected]> wrote: > > We had a similar problem at the University - it turned out to be NPS deciding > that it was a person not a machine authenticating and rejecting it out of > hand. > > If you could send us a copy of the configuration file and the associated > trace 4 debug we'll take a look. > > regards > > Hugh > > > On 12 Oct 2012, at 17:11, James Zee <[email protected]> wrote: > > > Thanks again for your helpful responses. > > > > We seem to have everything working by proxying requests to NPS. We're > > running into one final issue, however, that I can't seem to figure out. > > > > Host-based authentication is failing. Specifically, Radiator is throwing an > > error that indicates: > > > > > > for user host/blah.somewhere.com: PEAP Authentication Failure > > > > Any thoughts on why this may be happening? The only difference between the > > ntlm_auth wireless Radiator configuration and this one is the RADIUS proxy > > directive. > > > > -james > > > > > > On Wed, Oct 10, 2012 at 5:10 AM, Heikki Vatiainen <[email protected]> wrote: > > On 10/09/2012 09:44 PM, James Zee wrote: > > > > > Unfortunately, however, when we proxy our EAP requests through Radiator, > > > NPS sends an ACCESS-REJECT back without much logging. From what I can > > > tell, NPS is not responding because the RADIUS message that is proxied > > > through Radiator does not have a valid NAS port type. > > > > > > Shouldn't the proxied request include a NAS port type? Is there a way to > > > "fake" or append a NAS port type to the RADIUS request? > > > > You can take the NAS-Port-Type from the original, outer RADIUS request > > with this: > > > > AddToRequest NAS-Port-Type=%{OuterRequest:NAS-Port-Type} > > > > Add the option to the Handlers that take care of requests marked with > > TunnelledByPEAP=1 and ConvertedFromEAPMSCHAPV2=1 > > > > That should take care of NAS-Port-Type problem if you want or need to > > continue proyxing to NPS. > > > > Thanks, > > Heikki > > > > -- > > Heikki Vatiainen <[email protected]> > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > > NetWare etc. > > _______________________________________________ > > radiator mailing list > > [email protected] > > http://www.open.com.au/mailman/listinfo/radiator > > > > _______________________________________________ > > radiator mailing list > > [email protected] > > http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > [email protected] > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. > Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > > > _______________________________________________ > radiator mailing list > [email protected] > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine [email protected] Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list [email protected] http://www.open.com.au/mailman/listinfo/radiator
