Removing domain prefix from login

Phil Mayers p.mayers at
Fri Nov 11 08:41:24 CET 2011

On 11/10/2011 10:06 PM, Alan Buxey wrote:
> Hi,
>> As per the docs. This config item should not be used, and is causing
>> things to break.
> umm, wasnt there a discussion recently in which
> with_ntdomain_hack = yes
> was going to be set by default in FR 3.x ?

That was the option on the mschap module. That option does not modify 
the packet, and only controls the string that is input into the mschap 
challenge/response calculation. Since the RFC says that input string 
should always be the username without leading DOMAIN\, it seems sensible 
to change that default and rename the option to something like 
"challenge_ignore_ntdomain" or something.

*This* option, unfortunately named the same thing, does something 
different - it modifies the username in the packet to remove the DOMAIN\ 
which is almost never a good thing, and definitely not if you're using 
EAP. It should probably just be removed - people can use unlang if they 
really want to hack away at the username.

There's also a with_ntdomain_hack on rlm_eap_mschapv2 which again does 
something different - it strips the DOMAIN\ when proxying the mschap to 
a remote server. It should probably be renamed to "proxy_send_domain" or 

More information about the Freeradius-Users mailing list