Strip off the domain part from the User-Name

Michael Lecuyer mjl at
Wed Mar 23 21:30:04 CET 2011

The MSCHAPs include the given name when calculating the hashes. 
Stripping the domain will therefore not work. The client is using the 
domain\name in the hash and you're asking the server to use just the name.

On 3/23/2011 15:08 PM, Thomas Wunder wrote:
> Hi,
> I'm currently trying to configure my Win7 clients to do wired 802.1X authentication using the credentials a user provides at the login screen. Wired 802.1X auth itself works fine but as soon as I have it use the logon credentials (using the "Automatically use my Windows logon name and password (and domain if any).") Windows sends User-Names like 'computername\\username'. That's normal so far I think.
> To get the rlm_ldap related stuff working I simply changed my filter and groupmembership_filter settings in modules/ldap to be "[...]uid=%{mschap:User-Name:-%{User-Name}}[...]" instead of "[...]uid=%{%{Stripped-User-Name}:-%{User-Name}}[...]" and that works well.
> But when it comes to MSCHAP authentication I've got a problem:
> I get errors like
> "[mschap] ERROR: User-Name (testpc\tom1) is not the same as MS-CHAP Name (tom1) from EAP-MSCHAPv2"
> (...which sounds consequent) I've tried solve that problem by changing "with_ntdomain_hack = yes" (I know you recommend against that) without any luck:
> +- entering group authenticate {...}
> [eap] Identity does not match User-Name, setting from EAP Identity.
> [eap] Failed in handler
> ++[eap] returns invalid
> Failed to authenticate the user.
> Login incorrect: [tom1] (from client swtswitch01 port 0 via TLS tunnel)
> Somewhere I've read that in such a case one should use the realms concept but I can't seem to get it working. There's an entry like
> realm ntdomain {
>          format = prefix
>          delimiter = "\\"
> }
> in the modules/realm but what else do I need?

More information about the Freeradius-Users mailing list