Skip to main content

5 Messages

 • 

110 Points

Thu, Feb 7, 2019 2:01 PM

VS-z Radius proxy EAP not forwarding request to radius server if username contains @domain.domain

Hi,

I have been debugging a certificate issue on Windows7 against NPS Radius back end (using controller as proxy) 

I have noticed that when the user uses [email protected] the EAP negotiation is dropped with Explicit EAP error and no connection is detected on the Radius server

If i remove the @domain part the connection goes trough successfully.

Is there something i am missing or is this a bug?

Responses

Official Rep

 • 

97 Messages

 • 

1.6K Points

2 years ago

On vSZ console (5.1), go to Diagnostics > RADIUS.  You will find the Proxy page.  Do you see the Reject counter increases when you use user id with full domain name?

Official Rep

 • 

97 Messages

 • 

1.6K Points

2 years ago

It is also worth checking the 5.1 Administrator Guide Page 297, for the Authentication Support Matrix.

5 Messages

 • 

110 Points

2 years ago

no i do not. stil at 875 rejects

5 Messages

 • 

110 Points

2 years ago

yeah i am using 802.1x with NPS Radius trough auth proxy and that is supported.

It works fine from win7 when i change the username sent with the client certificate.
On Win10 that do not work at all.
No requests are hitting the Radius server at all. 

5 Messages

 • 

110 Points

2 years ago

I did notice a couple of thing tough trough the radius log.

Not found @' in User-Name. Could not extract Realm
Failed to extract realm from User-Name: (DOMAIN\user.name)
Not a Permanent-Id Authentication Method
Realm can not be found in PRoxy Mapping table entry


so i turned on debug and the following is logged
Autz profile is not enabled
Realm(domain.dom), profile(263638f2-2024-11e9-936e-000000095780)
Realm is default (DEFAULT263638f2-2024-11e9-936e-000000095780)
Rejecting the AUTH request for username ([email protected]) as Auth Service is NA 

so i dont know how i am supose to fix that. seems like it's checking for a authservice in the domain i guess and ignoring the radius options for the wlan

5 Messages

 • 

110 Points

2 years ago

Never mind, figured it out. had to go into services and profiles -> authentication
Realm based proxy tab and add the domain name to the Realm based authentication service. 

Thanks for pointing me to the logs.

Official Rep

 • 

97 Messages

 • 

1.6K Points

2 years ago

Glad it's sorted.  You are most welcome.