Usernames with escape sequences

James Sumners james.sumners at
Fri Feb 27 15:28:01 CET 2015

I have Freeradius authenticating to an Active Directory system via 
ntlm_auth. When a username in the format "foobar\jdoe" comes in, where 
"foobar" is the domain and "jdoe" is the real username, the 
authentication succeeds just fine. But if username is "foobar\tdoe" 
then it gets expanded to "foobar    doe".

Here's some real output where the passed in username was "CCSU\tstudent":

(0) mschap : Client is using MS-CHAPv1 with NT-Password
(0) mschap : Executing: "/bin/ntlm_auth --request-nt-key 
(0) mschap :    expand: "--username=%{%{mschap:User-Name}:-None}" -> 
'--username=CCSU   student'
(0) mschap : No NT-Domain was found in the User-Name.
(0) mschap :    expand: "--domain=%{%{mschap:NT-Domain}:-None}" -> '--domain='
(0) mschap :  mschap1: ac
(0) mschap :    expand: "--challenge=%{%{mschap:Challenge}:-00}" -> 
(0) mschap :    expand: "--nt-response=%{%{mschap:NT-Response}:-00}" -> 
(0) mschap : Program returned code (1): Logon failure (0xc000006d)
(0) mschap : External script failed.
(0) ERROR: mschap : External script says: Logon failure (0xc000006d)

How do I prevent the escape sequence from being expanded?

More information about the Freeradius-Users mailing list