Remove with_ntdomain_hack in rlm_mschap?

Phil Mayers p.mayers at
Wed Oct 26 22:23:41 CEST 2011

Does this config option make any sense? Shouldn't it always be on?

The only thing it controls is the username to feed into the MS-CHAP 
challenge generation, and AFAICT from RFC 2759, we should *always* 
ignore DOM\ for that. Certainly windows does.

I found this out today - if you have "with_ntdomain_hack = no", ticking 
the "Use my windows credentials" box for wired/wireless 802.1x login 
doesn't work with a default FR config.

Perhaps we should remove it for 3.x?

More information about the Freeradius-Devel mailing list