Remove with_ntdomain_hack in rlm_mschap?

Phil Mayers p.mayers at
Thu Oct 27 14:21:33 CEST 2011

On 27/10/11 08:15, Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Could we set it to default to 'yes' so it can be explicitly disabled, but is on by default?
>    Change the source code so that the default is "yes".
>    Delete the configuration from raddb/modules/mschap
>    People can still change it, but the default should work better.

That will work.

I'm a little cautious about the naming - "hack" implies it is somehow a 
bad thing to do, and I would prefer to see it named "strip_ntdomain" - 
but small changes are better than big I guess.

Interestingly (to me) I just pulled the .gz files for the -users mailing 
list archives for 2010 and 2011. In the whole archive, only twice does 
the error "should we have enabled with_ntdomain_hack?" appear; likewise 
only 4 times does an MSCHAP auth occur with "DOMAIN\user" as opposed to 
288 for just "user".

This implies to me very few people are ticking the "Use my windows 
credentials..." option under the PEAP/MSCHAP settings.

More information about the Freeradius-Devel mailing list