s.com" with the right Intel
domain.
...and it worked :)
The same applies for any other proxy server, not just NPS.
Thnks
Sagi
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3293350.html
Sent from the FreeRadius - Us
sbaror wrote:
> Are the MS CHAP patched available separately to apply on previous versions?
The "git" repository is publicly accessible. You can look at it, just
like anyone else can.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Are the MS CHAP patched available separately to apply on previous versions?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3267668.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info
sbaror wrote:
> There was one things I think I neglected to mention: we use FR 1.1.7. Quite
> old. We cannot uograde right now. I found info about some MS CHAP v2 related
> issue in the older versions of FR, but not the exact same issue I have. Does
> that ring a bell to you about knwon issues with
? Maybe there
are avaialble patches instead of upgrading to 2.x?
Sagi
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3267181.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe
Alan, if it is working for others it will be probably very easy to the
relevant expert to resolve our issue. Can we engage with someone (yourself
or someone else) for consulting?
Sagi
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP
sbaror wrote:
> thank you guys for all the help. It still does not work, but I made some
> progress with the elimination testing.
> I cannot test PAP with my system. it support TTLS-MS CHAP v2 only.
> I used a test client (RadEap test) and successfully authenticated using
> EAP-MS CHAP v2 with t
Sagi
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3236701.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> Our design:
> 1) Protocol is EAP-TTLS with inner MA CHAP v2
> 2) FR server authenticate the TLS part
> 3) FR proxies the MS CHAP Authentication to NPS
> 4) NPS performs the MS CHAP v2 auth.
yes, this is feasible
note this will break when clients start to check the end of the tunnel is th
sbaror wrote:
> In our design we don't use Samba because the server which performs auth with
> the AD is the NPS.
OK.
> Are you suggesting that the FR server needs to have
> Samaba when doing the MS CHAP v2 proxy to NPS?
No.
> Our design:
> 1) Protocol is EAP-TTLS with inner MA CHAP v2
>
oxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3208933.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sbaror wrote:
> Hi Alan
> The issue is that the MS CHAP v2 authentication fails. it succeeds when the
> 2nd Radius is FR and fails with MS NPS.
> Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is
> different then the one between the NPS and the DC.
Yes. NPS uses magic
Hi,
> The issue is that the MS CHAP v2 authentication fails. it succeeds when the
> 2nd Radius is FR and fails with MS NPS.
> Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is
> different then the one between the NPS and the DC.
I manage a system that involves several h
:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3208877.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> Did anyone ever managed to establish a radius proxy between FR and another
> Radius server, such as NPS or ACS?
yes - just dealt with them as remote RADIUS servers...they follow the basic
RADIUS
RFCs fairly well - whats your issue?
alan
-
List info/subscribe/unsubscribe? See http://www.fr
Did anyone ever managed to establish a radius proxy between FR and another
Radius server, such as NPS or ACS?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3208535.html
Sent from the FreeRadius - User mailing list
SagiBarOr wrote:
> The connection is not refused. these logs are of a successful session.
Then why did you post them? You have a problem with rejected
sessions, so there is *no* reason to post logs from accepted sessions.
> I did not post logs of a refused connection because this is not a fre
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29296159.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SagiBarOr wrote:
> Sure. Here is the picture again: we are doing EAP-TTLS authnentcation with a
> partial proxy. We call it "split authentication". One Freeradius server is
> doing the TLS phase and then proxy the MS CHAP v2 portion to a second Free
> Radius server.
> This works just fine.
> When
with little or no explanation.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29296037.html
Sent from the Fre
SagiBarOr wrote:
> Here is another pair of logs which may be more focused than the previous
> pair. It is of the LDAP portion only
Could you explain in *simple* terms what you want? You've been
posting large debug outputs with little or no explanation.
Alan DeKok.
-
List info/subscribe/unsub
>> -Oprindelig meddelelse-
>> Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org
>> [mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På
>> vegne af SagiBarOr
>> Sendt: 15. juli 2010 09:46
>> Til: freeradius-users@lists.freeradi
>
> -Oprindelig meddelelse-
> Fra: freeradius-users-bounces+jmd=kmd...@lists.freeradius.org
> [mailto:freeradius-users-bounces+jmd=kmd...@lists.freeradius.org] På vegne
> af SagiBarOr
> Sendt: 15. juli 2010 09:46
> Til: freeradius-users@lists.freeradius.org
&g
> What part of that suggestion is unclear?
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
--
View this message in context:
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170554
SagiBarOr wrote:
> Thank you for the clarification Phil. I am not sure what "radius -x" means.
It's "radiusd -X", not "radius -x". And see "man radiusd" for what it
means.
Debugging this issue requires basic Unix sysadmin skills. Reading
"man" pages should be part of those skills.
> I
> po
SagiBarOr wrote:
> Files posted.
> The config files of the two FR servers and the sniffer traces of a successul
> authentcation with FR + FR, vs a failed one with FR + NPS.
Why did you do that? You were told:
> Garber, Neal wrote:
>> Post debug output!
What part of that suggestion is uncle
vegne af
SagiBarOr
Sendt: 15. juli 2010 09:46
Til: freeradius-users@lists.freeradius.org
Emne: Re: FR proxy to ACS and NPS with MS CHAP v2
Thank you for the clarification Phil. I am not sure what "radius -x" means. I
posted the two output files I have. Are these the ones? If not, pls
ldap_mschapv2.log ldap_mschapv2.log
--
View this message in context:
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29170161.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 07/14/2010 11:17 PM, SagiBarOr wrote:
Files posted.
No.
Post the output of "radiusd -X" to the list.
We don't need anything else; just that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
bscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
http://old.nabble.com/file/p29167377/CHAPv2%2BAuthentication%2Bissue.zip
CHAPv2+Authentication+issue.zip
--
View this message in context:
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29167
> will most appreciate your expert opinion.
Post debug output!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
. Also the verbose error log shows
the user account is found.
Looks like something is wrong with the pwd hash.
will most appreciate your expert opinion.
Thnks
Sagi
--
View this message in context:
http://old.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp29132664p29132664.html
Sent from
32 matches
Mail list logo
