FreeRadius (version 2.1.12) + ntlm_auth (AD) authentication + LDAP authorization

Phil Mayers p.mayers at
Thu Jan 10 12:15:21 CET 2013

On 01/09/2013 08:42 PM, Matthew Ceroni wrote:
> It appears that when Windows sends the username it sends it as
> DOMAIN\\username.
> The \\ causes the 5c to appear in the username. I confirmed this by
> using the radtest tool and specifying the username as DOMAIN\\username.
> A single \ causes the username to appear as DOMAINusername so that is
> why double \\ are required.

No, you're misunderstanding what is going on.

"\" is the string escape character e.g. "\n" is "newline", "\t" is tab, 
etc/. So to put a "\" in a quoted string needs "\\". FreeRADIUS in debug 
mode is printing the same thing you would have to type.

That is, windows is only sending "DOMAIN\username"

"\" is then LDAP-escaped to \5c as per normal LDAP escaping rules.

As to why it's not working - I seriously doubt that you actually have:

sAMAccountNAme: DOMAIN\user Active Directory. Are you sure this is what you have?

More information about the Freeradius-Users mailing list