Freeradius authenticate against Active directory

Matthew Newton mcn4 at
Fri Sep 13 11:17:27 CEST 2013

On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote:
> expand: --username=%{mschap:User-Name:-None} -> --username=test at
> Exec-Program output: Logon failure (0xc00004f) 

> How can I fix the problem of authentication users that type
> in there local realm with their username as well as proxing eduroam
> users?
> Basically, how do I authenticate local user or stripe local
> realm before pass to active directory for authentication?

Use unlang to strip the realm off, something like this before the call to eap:

  if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) {
      update request {
          Stripped-User-Name := "%{1}"
      if ("%{3}") {
          update request {
              Realm := "%{3}"
      else {
          # this will reject requests that have no realm

Then in your mschap module config use Stripped-User-Name instead of User-Name, e.g.

  ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list