Hello, I have experienced a problem with CHAP when proxying authentication to a client where the proxy rejects all authentication.
I solved the problem by patching the FR code myself and I think this should be fixed in future releases: The problem is that the proxy doesn't know the attribute CHAP-Challenge, and takes the challenge directly from the vector field, as says the RFC when the CHAP-challenge is not provided by the NAS. Well, when FR receives a request he systematically build a CHAP-Challenge attribute from the vector field if there isn't already one provided by the NAS. And when he proxys, he systematically builds a new random vector field, patching the challenge for the client. The solution is to copy the CHAP-Challenge in the vector when proxying. Someone think about undesirable side effects with doing this ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html