Trying to strip the Windows Domain name from a login

Brett Littrell Blittrell at
Mon Jan 24 22:47:45 CET 2011

Hi Alan,
    Thanks for info.  Next question is "what??"  HeHe.   I started looking at the files you suggested and I am confused.  
    First you mention looking into the realm information, did that, it is looking like that may not be to hard to do, if I am using the FR server to access the LDAP server then I just need to set a realm of ntdomain and auth=LOCAL, correct?  Then you go on to say strip the domain at the LDAP lookup, well if I do it there wouldn't that fix the problem regardless of changing the realm?  You go on to explain that I should do the LDAP lookup in the inner-tunnel config, I have no problem with this, it makes sense, the problem I have is how do you specify the inner tunnel in the configuration?
   Remember, I am new to FreeRadius, been using Cisco ACS for a few years now so I know about Radius in general, just not how to configure FreeRadius and docs are a bit hard to come by.  If you can specify the files I should look at to configure the inner tunnel authentication and where to specify stripping the domain name pre-ldap authentication that would help a lot.  I was not sure if I should attempt stripping the domain in the realm portion or right before the ldap auth.
Thanks again, I will continue and try to figure out where to do this until I hear back.
Brett Littrell
Network Manager

>>> On Friday, January 21, 2011 at 11:56 PM, in message <4D3A8DA0.7050702 at>, Alan DeKok <aland at> wrote:

Brett Littrell wrote:
>     I am trying to strip the domain name from a userid in the most
> efficient way possible, I am using version 2.1.1.

  See the "realms" module, and the "realm" definition in raddb/proxy.conf.

>      I am using MSChapV2 

  Then stripping the realm isn't a good idea.  The User-Name is used as
part of the MS-CHAPv2 calculations, so changing it will make the
authentication fail.

>   I then found another reference to strip the domain from the LDAP
> module as shown below:
>       filter = "(cn=%{mschap:User-Name:-%{User-Name}}

  This is wrong.  You're not closing the opening bracket:

filter = "(cn=%{mschap:User-Name:-%{User-Name}})"

> and it seems to pass the correct username to
> the LDAP server it looks like there is some other place I need to strip
> the domain besides the ldap lookup, that or the replies are using the
> stripped name and it is failing that way as well.  Either way it still
> is not working.  If I un-comment the stripped-user-name and use a
> supplicant that strips the domain prior to sending it, it does work so
> Radius is working, just now with standard windows supplicant on XP.

  If you're using EAP, you *really* don't want to strip the User-Name.
It will make EAP fail.

>     An yes I am pretty new to freeradius.

  What you want is to change the *ldap* lookup so that it uses only the
name portion of the User-Name.  *Don't* edit the User-Name.

  And move the LDAP lookup to the "inner-tunnel" configuration.  That's
what it's for.  Don't do LDAP lookups in raddb/sites-available/default

  Alan DeKok.
List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Brett Littrell.vcf
Type: application/octet-stream
Size: 325 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list