PEAP/MSCHAPv2 / Freeradius / AD

Alan Buxey A.L.M.Buxey at
Thu Oct 13 23:58:01 CEST 2011


>    We are trying to use Freeradius to do  PEAP/MSCHAPv2
> authentication against Active Directory (2003).  Our realm is
>, but since Eduroam doesn't allow subdomain, end user has
> to use   bob at instead bob at as username.

you shouldnt send your own sub domains up to the national level - hopefully
they have picked up on issues that older eduroam federations have had in the can be the cause of loops... hopefully the national level has
loop detection mechanisms for if an end site does something silly.

it would be  shame if they are stopping you from using sub-realms...its
quite common elsewhere...

but anyway, you shouldnt need to worry, the outerid is just like the address
on an get the RADIUS request back to YOUR RADIUS servers.
once it gets there, the EAP tunnel is created and the innerID is exposed..and
that can be whatever you want - with realm or without realm.  you can also
adjust the ntlm_auth command to send whatever realm you want locally to the AD

of course, could have issues with older clients where you cannot adjust outerID

>    My question is can you modify the realm behind the user's back?
> (during EAP process).

the username does not need to be used as-is..generally you could (and many do!)
use the Stripped-User-Name in the ntlm_auth stage


More information about the Freeradius-Users mailing list