Strip off the domain part from the User-Name

Phil Mayers p.mayers at
Thu Mar 24 09:35:23 CET 2011

On 03/23/2011 08:30 PM, Michael Lecuyer wrote:
> The MSCHAPs include the given name when calculating the hashes.
> Stripping the domain will therefore not work. The client is using the
> domain\name in the hash and you're asking the server to use just the name.

Actually that's not true; the mschap "response" field is calculated with 
the bare username, excluding the domain. You *should* strip the domain 
when you pass it into ntlm_auth; but not by modifying the original 
username, as that makes EAP complain.

More information about the Freeradius-Users mailing list