Working around broken EAP client

Phil Mayers p.mayers at
Tue Jun 11 11:57:20 CEST 2013

Gordon Ross <gr306 at> wrote:

>I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04
>I'm wanting to use Freeradius to authenticate 802.1x clients. However,
>one client I need to authenticate I believe is "broken", in that it's
>stripping the suffix on the inner identity.
>From running freeradius -X I see:
>[mschap] ERROR: User-Name (68983 at is not the same as
>MS-CHAP Name (68983) from EAP-MSCHAPv2
>Putting the same credentials into an iPhone allows the iPhone to sign
>onto the network without problems. So I feel it's the client that's
>broken, and not my freeradius setup.
>I've seen some warnings that fixing the identity mis-match is a Bad
>Idea, but I need to get this client to work.
>I found a page[1] that has a similar problem, but for Windows domain
>prefixes being stripped. It suggests that adding:
>if ( User-Name =~ /^machine.*/ ) {
>     update request {
>         MS-CHAP-User-Name = "%{request:User-Name}"
>     }
>to the inner configuration will fix it.
>Is it possible to do something similar to add the suffix if it's
>missing ?
>Gordon Ross
>List info/subscribe/unsubscribe? See

Can we see a full debug? It might help people suggest options. The advice you seem to have dug up seems plain wrong - no idea why they think setting that will help as it will mangle the challenge/response.
Sent from my phone with, please excuse brevity and typos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list