Proxy.conf realms

Phil Mayers p.mayers at
Sat Mar 16 14:21:15 CET 2013

On 03/15/2013 10:47 PM, Matthew Ceroni wrote:
> Well I found something that appears to work. I used the hints file. And
> it correctly stripped off the host/ and domain.local.
> However now I get the error
> [eap] Identity does not match User-Name, setting from EAP Identity
> [eap] Failed in handler

Modifying the "User-Name" attribute is a bad idea. It will, as you have 
seen, break EAP.

Use another attribute - maybe define your own local one (see 
raddb/dictionary and pay attention to the comments about numbering).

You were previously using Stripped-User-Name - just keep using that, and 
move the "unlang" you wrote to the top of the "authorize" section i.e.:

authorize {
   if (User-Name =~ /^h.../) {

One other alternative is to leave the username alone, and use the xlat 
provided by the mschap module; specifically this:


...will expand this:

host/ this:


Note the trailing dollar sign, which is windows-speak for "machine 
account". This is required if, for example, you use Samba/ntlm_auth, 
which requires "--username=host$" as the CLI argument.

I'm not sure what any of this has to do with the subject line, btw...

More information about the Freeradius-Users mailing list