locked
EAP-PEAP-MSCHAPv2 Realm Stripping in Windows 2012 RRS feed

  • Question

  • In the NPS server Windows 2012 I have a regular expresion that change the user-name attribute from login@domain.es to login@subdomain.domain.es, the regular expression works fine, but finally the connection is rejected because continues using login@domain.es

    IAS_AUTH_FAILURE

    this works on windows 2003

    Wednesday, November 27, 2013 1:56 PM

All replies

  • Hi,

    Firstly, would you please tell us the role you set the NPS server as, a RADIUS server or a RADIUS proxy?

    Besides, I recommend you to check any related information in event log to see if the issue was really due to the change of user-name attribute.

    In addition, IAS works on windows sever 2003 based operate system, but you said the issue was occurred on Windows server 2012. If in these scenario, why IAS authentication failed? Maybe I misunderstood something, I would appreciate it if you can tell us more detailed information about your deployment.

    The link below may be helpful to you:

    IAS Troubleshooting

    http://technet.microsoft.com/en-us/library/cc775934(v=ws.10).aspx

    EAP-PEAP-MSCHAPv2 Realm Stripping

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/e73183d4-7b2f-48a7-9246-97ed711e8e8d/eappeapmschapv2-realm-stripping?forum=winserverNAP

    Best regards,

    Susie

    Thursday, November 28, 2013 3:29 AM
  • Hi Susie

    The role is a RADIUS server, I know the realm striping works with Radius proxy role

    I have read the link EAP-PEAP-MSCHAPv2 Realm Stripping 

    and confirm that "The official line from Microsoft is below and confirms that in NPS the realm stripping is only designed to be used when proxying requests from front to back. So this is by design and not classed as a bug. " (alphasnooper response)

    I want to know is this line continues in windows 2012, or is possible use realm stripping with the role of Radius server

    IAS authentication failed because it uses the original user-name, not the user-name obtained with realm stripping

    Thanks a lot
    Thursday, November 28, 2013 9:52 AM