PEAP problem when using domain suffix

Graham Marsh graham at
Sun Jun 8 17:33:11 CEST 2008

----- Original Message ----- 
From: "Phil Mayers" <p.mayers at>
To: "FreeRadius users mailing list" <freeradius-users at>
Sent: Friday, June 06, 2008 8:17 PM
Subject: Re: PEAP problem when using domain suffix

> Phil Mayers wrote:
>> A.L.M.Buxey at wrote:
>>> hi,
>>> you need to remove the domain suffix but you cannot
>>> play with the User-Name attribute or the response will
>>> be wrong - use the 'stripped-user-name' attribute
>>> for the authenticate step - and ensure that if you
>>> are querying an LDAP or AD et cin that stage that DOMAIN
>>> being used is the correct domain - either overwrite
>>> the value or set it to NULL
>> The problem is that rlm_mschap always reads the "User-Name" attribute for 
>> generating the chal/resp i.e. when *not* using ntlm_auth.
>> If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\" 
>> but not suffix formats.
>> Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the 
>> username string fed into the chal/resp code, it should really be on all 
>> the time, and be extended to handle suffix formats.
> I've written a small patch for 2.0.4 which fixes this:
> -
> List info/subscribe/unsubscribe? See 

That's amazing; thanks for the quick update; would you be so kind as to 
provide a very quick HowTo in order to get this guess is 
something like this:

- download the source of 2.0.4
- merge the patch (but I'm a bit vague on this point - unless you've merged 
it already)
- compile it (also a bit vague on updating an existing implementation and 
doing make install or whatever)
- test


More information about the Freeradius-Users mailing list