Strip off the domain part from the User-Name

Nolan King nking at
Fri Mar 25 17:35:17 CET 2011

freeradius 2.1.8:
My environment uses ntlm_auth and ldap modules. 
in mschap module, i have a line like: 
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-re$

also, in ldap:
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"

no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and mschap lines). 

I use this method to auth users connecting to wireless APs with xp, ios, linux, and win7 machines. I want users to be forced to enter their password to connect, so the clients are configured not to use the domain\username, just username and pw. Set up this way, a client sending username in domain\username form will be rejected. I am not sure this is "right", but it allows me to use mschap auth with several different types of clients, and control access with an ldap group without worrying about the domain\user nonsense. Of course, i only have a single domain which simplifies things.


>>> On 3/25/2011 at 7:41 AM, in message
<201103251541.07053.thomas.wunder at>, Thomas Wunder
<thomas.wunder at> wrote:
> On Friday 25 March 2011 11:15:58 you wrote:
>> Use %{mschap:User-Name} everywhere; this will give the bare username 
> That sounds consequent but what exactly do you mean by "everywhere"?
> I use the policy.conf (as you can see by the debug output from my previous 
> posting) to define some policies that are later on used within the 'authorize 
> {...}' groups of sites-available/default and sites-available/inner-tunnel. I 
> don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group 
> information from my LDAP-server. The only place where I consciously reference 
> any User-Name attribute is the modules/ldap and there I already do as you 
> suggest (see attachment).
> Where else do I need to explicitly specify '%{mschap:User-Name}' to have 
> rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have 
> rlm_mschap ignore the domain component of the user name)?
> My modules/mschap config file is pretty lucid at present:
> mschap {
>         use_mppe = yes
>         require_encryption = yes
>         require_strong = yes
>         with_ntdomain_hack = no
> }
> And what about the realms approach? Can I save the trouble?
>> (and also correctly translate host/, if you later do 
>> machine auth)
> Thanks!

More information about the Freeradius-Users mailing list