Strip off the domain part from the User-Name

Thomas Wunder thomas.wunder at
Wed Mar 23 20:08:35 CET 2011

I'm currently trying to configure my Win7 clients to do wired 802.1X authentication using the credentials a user provides at the login screen. Wired 802.1X auth itself works fine but as soon as I have it use the logon credentials (using the "Automatically use my Windows logon name and password (and domain if any).") Windows sends User-Names like 'computername\\username'. That's normal so far I think. 
To get the rlm_ldap related stuff working I simply changed my filter and groupmembership_filter settings in modules/ldap to be "[...]uid=%{mschap:User-Name:-%{User-Name}}[...]" instead of "[...]uid=%{%{Stripped-User-Name}:-%{User-Name}}[...]" and that works well.

But when it comes to MSCHAP authentication I've got a problem:
I get errors like
"[mschap] ERROR: User-Name (testpc\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2"
(...which sounds consequent) I've tried solve that problem by changing "with_ntdomain_hack = yes" (I know you recommend against that) without any luck:
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel)

Somewhere I've read that in such a case one should use the realms concept but I can't seem to get it working. There's an entry like
realm ntdomain {
        format = prefix
        delimiter = "\\"
in the modules/realm but what else do I need?

Best regards

More information about the Freeradius-Users mailing list