Jan Hugo Prins wrote: > Now the next question is our partner that is a full M$ shop. They have a > Windows ADS environment and all windows users. My first idea was to use > proxy.conf to proxy all users with a username of u...@domain.com to the > MS-NPS server on the Windows ADS. Is this going to work with MSCHAPv2 > authentication? I would expect so.
Possibly. However, not all packets will contain such a username. They might by "anonymous". As always, read the debug output to be sure. > If this is going to work my next problem is adding some things to > access-accept replies. I need to add: > Aruba-User-Vlan = <vlanid> > Aruba-User-Role = <authenticated-role> That's what the "post-proxy" section is for. Add the attributes there. > The first one is to set the proper VLAN and the second one is to move > the user to an authenticated role of this M$-Shop. > > Can this be done somewhere in the proxy.conf on the proxy-reply? No. See raddb/sites-available/default, the "post-proxy" section. > I also read that their are some issues with the radius packets that are > accepted by the MS-NPS server, with the risk that the packets are > dropped at the MS-NPS side. Does someone have a overview of what should > be in the radius packets and what should not be in them? Operator-Name. It's a standard attribute that MS doesn't understand properly. The solution is to (a) not proxy it, or (b) update the MS dictionaries. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html