[RADIATOR] 'No logon servers' access-reject problem

lukas.bielinski at zv.fraunhofer.de lukas.bielinski at zv.fraunhofer.de
Mon Apr 1 12:34:43 UTC 2019

Dear Community,

we are facing a problem in our EAP-PEAP(MS-CHAPv2) environment with wrong 'access-reject' messages. The infrastructure is as follows: RADIUS-Requests are proxied by a radsecproxy to our two radiator servers. The radiator servers are the final authentication server and are connected to a Windows AD as user database. The clients are connecting to the network with username+pw, which works fine.
A problem occurs, when the network connection between one radiator and Domain Controller is not working, hence no user database is available for the one radiator.
In the logs we see the following messages:

Sat Mar 21 11:30:37 2019: WARNING: NTLM Could not authenticate user 'USER': No logon servers
Sat Mar 21 11:30:37 2019: INFO: Accounting: User: USER AuthBy; authby-withoutrealm, OriginalUserName: USER, NAS-IP-Address:, NAS-Identifier: eduroam, NAS-Port: 0, Calling-Station-Id: AABBCC112233, Form-Station-Id: 11:22:33:AA:BB:CC, Result: 1, Result String: EAP MSCHAP-V2 Authentication failure

This message is send as an 'access-reject' to the radsecproxy and client. Which is a legitim radius message for all network devices, even though this should not happen. At this point, the radsecproxy sees no reason to failover upcoming authentication-requests to the second radiator, which works fine with the DCs.

Is there any possibility, not to send an access-reject, and let the radsecproxy timeout this radiator?

Thanks for your help.

Lukas Bielinski

Lukas Bielinski
Competence Center LAN (CC-LAN)
Fraunhofer-Gesellschaft e.V.
Fraunhoferstr. 5  |  64283 Darmstadt  |  Germany
Tel +49 6151 155-349
lukas.bielinski at zv.fraunhofer.de   |  www.fraunhofer.de

More information about the radiator mailing list