How can I change proxy based on username?

Phil Mayers p.mayers at
Tue Mar 26 16:35:52 CET 2013

On 26/03/2013 15:12, John Horne wrote:

>> What is the upstream proxy?
> Microsoft domain controller (DC).

As in, Microsoft NPS running on a DC?

>> Can you explain why you want to do this? Obviously it's possible to
>> manipulate the packet in many ways, but your goal may be best
>> accomplished via a different route.
>> -
> The DC will recognise a users userid (e.g. 'jbloggs') provided it has no
> realm. It will also recognise (what I think is the UPN?) which is of the
> form 'j.bloggs at'.

Well, this depends on how you have your AD setup.

Basically, this whole area is a nest of vipers. It's a complete pain 
because windows is inconsistent about when you have to use a 
samAccountName, when you may use a userPrincipalName, and it's 
complicated even further by the fact that mschap mixes the username (but 
not any domain prefix/suffix) into the challenge/response crypto, so the 
server has to know which "username" you used.

Just to check I understand you - you currently have an NPS instance that 
will successfully authenticate:

j.bloggs at domain

...but fails on:

jbloggs at domain


> However, we have to cater for a mixed format of
> 'jbloggs at', which is currently used by some users and
> working. To do this we need to strip off the realm so that the DC will
> recognise just the userid part ('jbloggs').

But as you say, this ought to cause EAP failures, so it's useless?

More information about the Freeradius-Users mailing list