Removing domain prefix from login

Alejandro Gandara agandara at
Thu Nov 10 09:15:38 CET 2011

Hi Alan,

Thanks for your answers and excuse me for my english fill of mistakes.

2011/11/10 Alan DeKok <aland at>

> Alejandro Gandara wrote:
> > I'm authenticating users in RADIUS against LDAP, if I login from
> > computer with 802.1x configured and users and password taken from domain
> > automatic. Im getting wrong authenticated because the login has the
> > following chain.
> >
> > DOMAIN\\Users
> >
> > How can i avoid that radius read the prefix?
>   You should be able to authenticate using just the user name, using
> ntlm_auth.  See the examples in raddb/modules/ntlm_auth

Im reading about it. Thanks for this information.

> > I've tried to introduce the option prefix in /etc/sites-enable/default ,
> > but its getting me back errors because of wrong way to introduce that
> line.
>   Yes.  Don't define a realm.  It won't work.
>  Post the debug output.  That helps, too.

This is my debug  output:

rad_recv: Access-Request packet from host port 1025, id=112,
        Framed-MTU = 1480
        NAS-IP-Address =
        NAS-Identifier = "SW-INT-1-3"
        User-Name = "PRIVATE\\usertest"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 32
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "32"
        Called-Station-Id = "f0-62-81-05-33-40"
        Calling-Station-Id = "f0-4d-a2-bc-77-cd"
        Connect-Info = "CONNECT Ethernet 1000Mbps Full duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "1"
        EAP-Message = 0x020a0012014f50544152455c62726f75636f
        Message-Authenticator = 0x055981a2c542df52f4c292042c89a019
[ldap] performing user authorization for usertest
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  ... expanding second conditional
[ldap]  expand: %{User-Name} -> usertest
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
[ldap]  expand: dc=private,dc=loc -> dc=private,dc=loc
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to, authentication 0
  [ldap] bind as cn=raddbuser,dc=private,dc=loc/password to
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=pruebas,dc=loc, with filter (uid=usertest)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] sambaNtPassword -> NT-Password ==
[ldap] looking for reply items in directory...
  [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "01"
  [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] radiusFramedIPAddress -> Framed-IP-Address =
[ldap] user brouco authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[eap] EAP packet type response id 10 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
*[eap] Identity does not match User-Name, setting from EAP Identity.*
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [usertest/<via Auth-Type = EAP>] (from client privradius
port 32 cli f0-4d-a2-bc-77-cd)
Using Post-Auth-Type Reject
  WARNING: Unknown value specified for Post-Auth-Type.  Cannot perform
requested action.
# Executing group from file /etc/freeradius/sites-enabled/default

Thanks for all Alan.


Alejandro Gándara

>  Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list