Hi
I have FreeRadius 2.0 server with AD as user store. Authenticating using EAP-PEAP-MSCHAP2.Local realm is defined in proxy.conf. Authentications works fine without realm added to the username. As soon as I authenticate using username with realm, i.e. username@realm.com, authentication fails. The reason for failure is clear, it fails because radius server mschap module creates challenge hash with username which includes realm.
I need the radius mschap module to create hash from stripped username, i.e. which doesn't include the realm. Any ideas?
Please see radius debug log below:
rad_recv: Access-Request packet from host 192.168.1.254 port 55769, id=138, length=376
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "user5@igor.local"
    State = 0x3ce95d9d3fed44ec4019661d07f2a324
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    EAP-Message = 0x020400d01980000000c61603010086100000820080791cc56766422be7f48414f5942dda519afd607aea2fae890f9236e8af61cf71c66f4f80a5d427672d7f949a3fa163b959f0f1957f382f533a3f9c23d576dafcb5d36ca04dc7d0002203513a23b9394b75cf98f241a6c585583593f6622829a39a736160f0f83b567fa7bbc253558191630071d1889827f6118f366040f69d8814030100010116030100307173492977a9f772a302c0ecb7d2612700f9433dce8e08ff0e74b84dbc62de5fe5a95921f364f8c68dd38484550022ae
    Message-Authenticator = 0x9a61469cb26792ebd980f294bd9a64c9
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 208
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 198
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange  
[peap]     TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[peap] <<< TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[peap]     TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished  
[peap]     TLS_accept: SSLv3 write finished A
[peap]     TLS_accept: SSLv3 flush data
[peap]     (other): SSL negotiation finished successfully
SSL Connection Established 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 138 to 192.168.1.254 port 55769
    EAP-Message = 0x0105004119001403010001011603010030b0496fb6db5990b1f6a9cf2425dd8587e12b8f4e394f4bd8ccd2c077fe9ba54077bc170e9af421dda6e1deba0235ae8b
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x3ce95d9d38ec44ec4019661d07f2a324
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 56590, id=139, length=174
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "user5@igor.local"
    State = 0x3ce95d9d38ec44ec4019661d07f2a324
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    EAP-Message = 0x020500061900
    Message-Authenticator = 0xd034f4a268e3ac260f43575b92006929
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3 
[peap] eaptls_process returned 3 
[peap] EAPTLS_SUCCESS
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state TUNNEL ESTABLISHED
++[eap] returns handled
Sending Access-Challenge of id 139 to 192.168.1.254 port 56590
    EAP-Message = 0x0106002b190017030100205c4bae935a0f79fa0d08a9ce246433654e7edd61806e1f065cc4bdc32958e161
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x3ce95d9d39ef44ec4019661d07f2a324
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 53256, id=140, length=264
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "user5@igor.local"
    State = 0x3ce95d9d39ef44ec4019661d07f2a324
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    EAP-Message = 0x02060060190017030100209cc7c674b7a342e6bec99adea0f61331d5f99b0f6a5950927de5ae55a0bcbcbd1703010030a3f8d19a2da43ad4bee38bdadeeb8049f2ccd3b6452763ed52490a8ff701f7dddeb0d19ec99dc82884df40d0c650c45c
    Message-Authenticator = 0x4c2f97f2d3325123f0616a879cb73a5f
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 6 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state WAITING FOR INNER IDENTITY
[peap] Identity - user5@igor.local
[peap] Got inner identity 'user5@igor.local'
[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
    EAP-Message = 0x020600150175736572354069676f722e6c6f63616c
server  {
[peap] Setting User-Name to user5@igor.local
Sending tunneled request
    EAP-Message = 0x020600150175736572354069676f722e6c6f63616c
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "user5@igor.local"
    Service-Type = Framed-User
    Framed-MTU = 1400
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
[eap] EAP packet type response id 6 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[mschap] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
    EAP-Message = 0x0107002a1a010700251028ee58cd731c7f9fdd4de2f82cc1bf8e75736572354069676f722e6c6f63616c
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x6d2798eb6d20828b51434e222e2c4892
[peap] Got tunneled reply RADIUS code 11
    EAP-Message = 0x0107002a1a010700251028ee58cd731c7f9fdd4de2f82cc1bf8e75736572354069676f722e6c6f63616c
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x6d2798eb6d20828b51434e222e2c4892
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 140 to 192.168.1.254 port 53256
    EAP-Message = 0x0107004b190017030100400140898f0ff025ef80db345ef75a51b4a94d6b114a1d16ef08e1fc4c2d9de5d9895bd09efcdbc614e3886fa835507c92e6b34d2d657247692685e84c0e1f540f
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x3ce95d9d3aee44ec4019661d07f2a324
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 47603, id=141, length=312
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "user5@igor.local"
    State = 0x3ce95d9d3aee44ec4019661d07f2a324
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    EAP-Message = 0x020700901900170301002045693fe624f18512a0f9c83b0b896669c3a55066d0d54494bdee159a241df7cf170301006081573695ccc8dd51297f737d1ab47a212c08801a46c831418959b106028089aac0d7cec2f5aa0740909f7ae40d4274bd4534fa24cc41b9c775c3202ad337b19d7b7062c980579e7d31ca54439954aedcb279acd9cc65df2c1fdb85039fb26142
    Message-Authenticator = 0x97fd332a0965353e5459137c179a2c62
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 7 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
    EAP-Message = 0x0207004b1a02070046317c71750309db8428b4ec154f7e6c5b840000000000000000a333f4999fd9698891d2fbc675892007431387796abfa13b0075736572354069676f722e6c6f63616c
server  {
[peap] Setting User-Name to user5@igor.local
Sending tunneled request
    EAP-Message = 0x0207004b1a02070046317c71750309db8428b4ec154f7e6c5b840000000000000000a333f4999fd9698891d2fbc675892007431387796abfa13b0075736572354069676f722e6c6f63616c
    FreeRADIUS-Proxied-To = 127.0.0.1
    User-Name = "user5@igor.local"
    State = 0x6d2798eb6d20828b51434e222e2c4892
    Service-Type = Framed-User
    Framed-MTU = 1400
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
[eap] EAP packet type response id 7 length 75
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[mschap] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: user5@igor.local
[mschap] Told to do MS-CHAPv2 for user5@igor.local with NT-Password
[mschap]    expand: %{Stripped-User-Name} -> 
[mschap]    ... expanding second conditional
[mschap]    expand: %{User-Name} -> user5@igor.local
[mschap]    expand: %{%{User-Name}:-None} -> user5@igor.local
[mschap]    expand: --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} -> --username=user5@igor.local
[mschap] Creating challenge hash with username: user5@igor.local
[mschap]    expand: %{mschap:Challenge} -> 13479bee1886303a
[mschap]    expand: --challenge=%{%{mschap:Challenge}:-00} -> --challenge=13479bee1886303a
[mschap]    expand: %{mschap:NT-Response} -> a333f4999fd9698891d2fbc675892007431387796abfa13b
[mschap]    expand: --nt-response=%{%{mschap:NT-Response}:-00} -> --nt-response=a333f4999fd9698891d2fbc675892007431387796abfa13b
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Exec-Program output: Logon failure (0xc000006d) 
Exec-Program-Wait: plaintext: Logon failure (0xc000006d) 
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
} # server inner-tunnel
[peap] Got tunneled reply code 3
    MS-CHAP-Error = "\007E=691 R=1"
    EAP-Message = 0x04070004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
    MS-CHAP-Error = "\007E=691 R=1"
    EAP-Message = 0x04070004
    Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 141 to 192.168.1.254 port 47603
    EAP-Message = 0x0108002b19001703010020849be569aa66a8021ded29e15410bf74c59467c7db34f5995d1b6f91ebe9f22f
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x3ce95d9d3be144ec4019661d07f2a324
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49384, id=142, length=248
    Service-Type = Framed-User
    Framed-MTU = 1400
    User-Name = "user5@igor.local"
    State = 0x3ce95d9d3be144ec4019661d07f2a324
    NAS-Port-Id = "wlan1"
    NAS-Port-Type = Wireless-802.11
    Calling-Station-Id = "5C-3C-27-29-AE-0B"
    Called-Station-Id = "D4-CA-6D-A6-53-7B:eduroam test"
    EAP-Message = 0x02080050190017030100200ebc17e9bd20cc45f1c1772575868316464689e08bba6f4d934e5e1e4be3b040170301002078626c70503034ac41b926af5220e841c57e097b8fe870a8a49fdf71c2e749f8
    Message-Authenticator = 0x658f4273b0c1858d67761528c08eac05
    NAS-Identifier = "MikroTik"
    NAS-IP-Address = 192.168.1.254
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]  expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.1.254/auth-detail-20140313
[auth_log]  expand: %t -> Thu Mar 13 16:17:17 2014
++[auth_log] returns ok
++[mschap] returns noop
[suffix] Looking up realm "igor.local" for User-Name = "user5@igor.local"
[suffix] Found realm "igor.local"
[suffix] Adding Stripped-User-Name = "user5"
[suffix] Adding Realm = "igor.local"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 8 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7 
[peap] Done initial handshake
[peap] eaptls_process returned 7 
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user5@igor.local
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 8 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 8
Sending Access-Reject of id 142 to 192.168.1.254 port 49384
    EAP-Message = 0x04080004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 0 ID 134 with timestamp +3480
Cleaning up request 1 ID 135 with timestamp +3480
Cleaning up request 2 ID 136 with timestamp +3480
Cleaning up request 3 ID 137 with timestamp +3480
Cleaning up request 4 ID 138 with timestamp +3480
Cleaning up request 5 ID 139 with timestamp +3480
Cleaning up request 6 ID 140 with timestamp +3480
Cleaning up request 7 ID 141 with timestamp +3480
Waking up in 1.0 seconds.
Cleaning up request 8 ID 142 with timestamp +3480
Ready to process requests.