VS-z Radius proxy EAP not forwarding request to radius server if username contains @domain.domain

  • 1
  • Question
  • Updated 2 months ago
Hi,

I have been debugging a certificate issue on Windows7 against NPS Radius back end (using controller as proxy) 

I have noticed that when the user uses [email protected] the EAP negotiation is dropped with Explicit EAP error and no connection is detected on the Radius server

If i remove the @domain part the connection goes trough successfully.

Is there something i am missing or is this a bug?
Photo of Kris

Kris

  • 5 Posts
  • 0 Reply Likes

Posted 2 months ago

  • 1
Photo of Tony Heung

Tony Heung, Official Rep

  • 11 Posts
  • 3 Reply Likes
On vSZ console (5.1), go to Diagnostics > RADIUS.  You will find the Proxy page.  Do you see the Reject counter increases when you use user id with full domain name?
Photo of Tony Heung

Tony Heung, Official Rep

  • 11 Posts
  • 3 Reply Likes
It is also worth checking the 5.1 Administrator Guide Page 297, for the Authentication Support Matrix.
Photo of Kris

Kris

  • 5 Posts
  • 0 Reply Likes
no i do not. stil at 875 rejects
Photo of Kris

Kris

  • 5 Posts
  • 0 Reply Likes
yeah i am using 802.1x with NPS Radius trough auth proxy and that is supported.

It works fine from win7 when i change the username sent with the client certificate.
On Win10 that do not work at all.
No requests are hitting the Radius server at all. 

Photo of Kris

Kris

  • 5 Posts
  • 0 Reply Likes
I did notice a couple of thing tough trough the radius log.

Not found @' in User-Name. Could not extract Realm
Failed to extract realm from User-Name: (DOMAIN\user.name)
Not a Permanent-Id Authentication Method
Realm can not be found in PRoxy Mapping table entry


so i turned on debug and the following is logged
Autz profile is not enabled
Realm(domain.dom), profile(263638f2-2024-11e9-936e-000000095780)
Realm is default (DEFAULT263638f2-2024-11e9-936e-000000095780)
Rejecting the AUTH request for username ([email protected]) as Auth Service is NA 

so i dont know how i am supose to fix that. seems like it's checking for a authservice in the domain i guess and ignoring the radius options for the wlan

Photo of Kris

Kris

  • 5 Posts
  • 0 Reply Likes
Never mind, figured it out. had to go into services and profiles -> authentication
Realm based proxy tab and add the domain name to the Realm based authentication service. 

Thanks for pointing me to the logs.
Photo of Tony Heung

Tony Heung, Official Rep

  • 11 Posts
  • 3 Reply Likes
Glad it's sorted.  You are most welcome.