Trying to strip the Windows Domain name from a login

Alan DeKok aland at
Sat Jan 22 08:56:16 CET 2011

Brett Littrell wrote:
>     I am trying to strip the domain name from a userid in the most
> efficient way possible, I am using version 2.1.1.

  See the "realms" module, and the "realm" definition in raddb/proxy.conf.

>      I am using MSChapV2 

  Then stripping the realm isn't a good idea.  The User-Name is used as
part of the MS-CHAPv2 calculations, so changing it will make the
authentication fail.

>   I then found another reference to strip the domain from the LDAP
> module as shown below:
>       filter = "(cn=%{mschap:User-Name:-%{User-Name}}

  This is wrong.  You're not closing the opening bracket:

	filter = "(cn=%{mschap:User-Name:-%{User-Name}})"

> and it seems to pass the correct username to
> the LDAP server it looks like there is some other place I need to strip
> the domain besides the ldap lookup, that or the replies are using the
> stripped name and it is failing that way as well.  Either way it still
> is not working.  If I un-comment the stripped-user-name and use a
> supplicant that strips the domain prior to sending it, it does work so
> Radius is working, just now with standard windows supplicant on XP.

  If you're using EAP, you *really* don't want to strip the User-Name.
It will make EAP fail.

>     An yes I am pretty new to freeradius.

  What you want is to change the *ldap* lookup so that it uses only the
name portion of the User-Name.  *Don't* edit the User-Name.

  And move the LDAP lookup to the "inner-tunnel" configuration.  That's
what it's for.  Don't do LDAP lookups in raddb/sites-available/default

  Alan DeKok.

More information about the Freeradius-Users mailing list