I am having a strange problem, and was hoping for some expertise in this matter and I need to get this working very quickly since I am running out of time. I have freeradius configured to authenticate our users for a wired 802.1x environment. Authentication works succesfully if the supplicant (odyssey client) sends only the username and not domain\username. The problem is when I install the odyssey gina module to configure the supplicant to authenticate prior to windows login it passes the credentials as domain\username, whichs fails authentication. I did some searches and made the following changes: proxy.conf added: realm domain { type = radius authhost = LOCAL accthost = LOCAL } and uncommented the ntdomain section in radiusd.conf This did not work, so I tried another suggestion and changed the ntlm_auth string from: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=MEM --username=%{User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" to: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Now when I login I get the following error: This also occurs at the desktop level rlm_mschap: NT Domain delimeter found, should we have enabled with_ntdomain_hack? radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=RGraham --domain=MEM --challenge=71c3373eb458a75e --nt-response=c410b4f18e8527df26495cad16d20a09679b03969efa3d3e' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=RGraham --domain=MEM --challenge=71c3373eb458a75e --nt-response=c410b4f18e8527df26495cad16d20a09679b03969efa3d3e Exec-Program output: Logon failure (0xc000006d) Exec-Program-Wait: plaintext: Logon failure (0xc000006d) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module "mschap" returns reject for request 7 modcall: group Auth-Type returns reject for request 7 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. PEAP: Got tunneled reply RADIUS code 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Processing from tunneled session code 0xf8716a50 3 MS-CHAP-Error = "\007E=691 R=1" EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 PEAP: Tunneled authentication was rejected. rlm_eap_peap: FAILURE If I change the ntlm_auth back to the original string and authenticate at the desktop (not gina) it authenticates. So my question is: What do I need to do to configure Freeradius to strip the domain portion where EAP-PEAP is successful at both gina (login) and desktop? Any help would be greatly appreciated. Thanks Robert Graham