Strip off the domain part from the User-Name

Robert Roll Robert.Roll at
Fri Mar 25 18:10:43 CET 2011

We're currently running 2.1.10..

 I seemed to notice that the "Out of the Box Config" does not seem to actually create
a Stripped-Username and Realm. I did find that when I created a "real" realm in the proxy.conf
file, then a Stripped-Username and Realm were available. So, I thought that if I really wanted 
ALL usernames "stripped" into their component parts, I would just change the realm
in the proxy.conf file to be "DEFAULT" ?  This then seemed to send the request into some sort of
endless loop ?



From: at [ at] On Behalf Of Nolan King [nking at]
Sent: Friday, March 25, 2011 10:35 AM
To: freeradius list
Subject: Re: Strip off the domain part from the User-Name

freeradius 2.1.8:
My environment uses ntlm_auth and ldap modules.
in mschap module, i have a line like:

ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-re$

also, in ldap:
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"

no edits to default or inner-tunnel (other than to uncomment the ntlm_auth and mschap lines).

I use this method to auth users connecting to wireless APs with xp, ios, linux, and win7 machines. I want users to be forced to enter their password to connect, so the clients are configured not to use the domain\username, just username and pw. Set up this way, a client sending username in domain\username form will be rejected. I am not sure this is "right", but it allows me to use mschap auth with several different types of clients, and control access with an ldap group without worrying about the domain\user nonsense. Of course, i only have a single domain which simplifies things.


>>> On 3/25/2011 at 7:41 AM, in message
<201103251541.07053.thomas.wunder at>, Thomas Wunder
<thomas.wunder at> wrote:
> On Friday 25 March 2011 11:15:58 you wrote:
>> Use %{mschap:User-Name} everywhere; this will give the bare username
> That sounds consequent but what exactly do you mean by "everywhere"?
> I use the policy.conf (as you can see by the debug output from my previous
> posting) to define some policies that are later on used within the 'authorize
> {...}' groups of sites-available/default and sites-available/inner-tunnel. I
> don't utilize rlm_files any more but I use rlm_ldap to retrieve user/group
> information from my LDAP-server. The only place where I consciously reference
> any User-Name attribute is the modules/ldap and there I already do as you
> suggest (see attachment).
> Where else do I need to explicitly specify '%{mschap:User-Name}' to have
> rlm_mschap accept user names that incorporate a NT-domain name (i.e. to have
> rlm_mschap ignore the domain component of the user name)?
> My modules/mschap config file is pretty lucid at present:
> mschap {
>         use_mppe = yes
>         require_encryption = yes
>         require_strong = yes
>         with_ntdomain_hack = no
> }
> And what about the realms approach? Can I save the trouble?
>> (and also correctly translate host/, if you later do
>> machine auth)
> Thanks!

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list