sbaror wrote: > In our design we don't use Samba because the server which performs auth with > the AD is the NPS.
OK. > Are you suggesting that the FR server needs to have > Samaba when doing the MS CHAP v2 proxy to NPS? No. > Our design: > 1) Protocol is EAP-TTLS with inner MA CHAP v2 > 2) FR server authenticate the TLS part > 3) FR proxies the MS CHAP Authentication to NPS > 4) NPS performs the MS CHAP v2 auth. Do "divide and conquer" to find the problem: 1) Does EAP-TTLS/MS-CHAP work when you define the user locally in the "users" file? i.e. *not* proxying? 2) does MS-CHAP work when you use "radclient" to send a request from the proxy? (use 2.1.10 for this) 3) Does EAP-TTLS/PAP work when you do proxying to NPS? The system includes a lot of moving parts. Narrow down the problem to the part that's broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html