PEAP/MSCHAPv2 / Freeradius / AD

James J J Hooper jjj.hooper at
Thu Oct 13 23:43:33 CEST 2011

On 13/10/2011 21:35, James J J Hooper wrote:
> On 13/10/2011 21:16, Kevin Chan wrote:
>> Hi all,
>> hopefully i got to the right group of people.
>> We are trying to use Freeradius to do PEAP/MSCHAPv2
>> authentication against Active Directory (2003). Our realm is
>>, but since Eduroam doesn't allow subdomain, end user has
>> to use bob at instead bob at as username.
> Presumably you are in the US? ... It's a shame that US eduroam seems to
> forbid subdomains for it's own institutions (lots of organisations doing
> eduroam in Europe use subdomain realms).

I re-read ...

It says that *you* shouldn't forward subdomains of your own realm to the 
national proxies, which would be filtered. This indeed makes sense for 
loop protection.

...and it implies "only usernames of the form user at" should 
be accepted, but it doesn't actually state that you can't use subdomains.

I suppose it depends on how the "routing" on the US level eduroam proxies 
is set-up:
if (Realm =~ /^(.+\.)?\.uni\.edu$/) { }
if (Realm =~ /^uni\.edu$/) { }


James J J Hooper
Senior Network Specialist, University of Bristol

More information about the Freeradius-Users mailing list