Hi, > Our design: > 1) Protocol is EAP-TTLS with inner MA CHAP v2 > 2) FR server authenticate the TLS part > 3) FR proxies the MS CHAP Authentication to NPS > 4) NPS performs the MS CHAP v2 auth.
yes, this is feasible note this will break when clients start to check the end of the tunnel is the same (cyptobinding TLV) - this may become common. 1 and 2 will just work with the main outer tunnel and default config 3) you need to configure the EAP and inner tunnel to proxy the request to the remote server - at which point it will be a naked MSCHAPv2 going to the NPS 4) the NPS will do its work...so long as shared secrets are correct, note, theres lots of other bits that need to be right - eg the users entry in the NPS AD needs to be correct - remote dial-in connection enabled. the FR - NPS stuff that you talk about is basic bread and butter stuff. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html