Realm Strip

Dennis Xu dxu at
Wed Sep 9 15:48:49 CEST 2015

This is our setup: we put a FreeRadius version 2.1.10 on Ubuntu in front of the Cisco ACS 5 and we need the FreeRadius to strip the suffix starting from @ and just pass the username to ACS 5 for authentication(with AD). We use PEAP MS-CHAPv2. It did not work. ACS5 still sees the whole username(i.e, dxu at with the suffix.

I added the following to the proxy.conf file:
realm {
        type = radius
        authhost =
        accthost =
        secret = testing123

I added followings to the radiusd.conf file:
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no

authorize {

authenticate {
        Auth-Type MS-CHAP {

mschap {
        authtype = MS-CHAP
        use_mppe = yes
        require_encryption = yes
        require_strong = yes

Did I miss anything?

Does FreeRadius strip the realm for both inner and outer IDs for peap authentication?

Thank you for your help!

Dennis Xu, MASc, CCIE #13056
Analyst 3, Network Infrastructure
Computing and Communications Services(CCS)
University of Guelph

519-824-4120 Ext 56217
dxu at

More information about the Freeradius-Users mailing list