PEAP problem when using domain suffix

Phil Mayers p.mayers at
Fri Jun 6 13:36:25 CEST 2008

A.L.M.Buxey at wrote:
> hi,
> you need to remove the domain suffix but you cannot
> play with the User-Name attribute or the response will
> be wrong - use the 'stripped-user-name' attribute
> for the authenticate step - and ensure that if you
> are querying an LDAP or AD et cin that stage that DOMAIN
> being used is the correct domain - either overwrite
> the value or set it to NULL

The problem is that rlm_mschap always reads the "User-Name" attribute 
for generating the chal/resp i.e. when *not* using ntlm_auth.

If "with_ntdomain_hack" is enabled, rlm_mschap strips prefix "domain\" 
but not suffix formats.

Given that (in 2.0.3 at least) with_ntdomain_hack *only* controls the 
username string fed into the chal/resp code, it should really be on all 
the time, and be extended to handle suffix formats.

More information about the Freeradius-Users mailing list