Working around broken EAP client

Phil Mayers p.mayers at
Tue Jun 11 17:05:59 CEST 2013

On 11/06/13 15:11, Gordon Ross wrote:
> On 11 Jun 2013, at 14:32, Alan DeKok <aland at>
>   wrote:
>> Gordon Ross wrote:
>>> In the meantime, is there anything I can do to accept these requests ?
>>   Set the User-Name to be the same as the MS-CHAP identity.
> How and where do I do that ? In the inner part by something close to:

It's a bit complicated, because the code munges the username values 
depending on whether you've got "with_ntdomain_hack" set to "yes" or 
"no" (which is why I asked for a full debug).

You want to set it as late as possible but just before mschap 
"authenticate" runs.

Something like this:

server inner-tunnel {


authenticate {
   Auth-Type MSCHAP {
     if (MS-CHAP-User-Name) {
       update request {
         User-Name := "%{MS-CHAP-User-Name}"



More information about the Freeradius-Users mailing list