UserPrincipalName with ntlm_auth, trying to get it "right"

Matthew Newton mcn4 at
Fri Jan 15 12:43:02 CET 2016

On Fri, Jan 15, 2016 at 09:44:15AM +0100, Mathieu Simon (Lists) wrote:
> I see eduroam folks use a username at homeorg.tld format which does look
> like a UPN (maybe on their backend it isnt).

It's an NAI. There's a difference. See RFC 4282.

> I'd also guess that some organizations have Active Directory as
> backend, and I see some also use PEAP-MSCHAPv2 ... thus there
> must be similarities to what I have here.

Yes. sAMAccountname at realm

Though for completeness here our UPN is the same as
sAMAccountName at realm (for one version of "realm" anyway).

> If anyone on this is willing to share how they did it, that would be
> interesting to hear and how (well) it works for them. I hope I could
> then avoid stumbling into a potential pitfall with MSCHAP...

Used sAMAccountName.

I'll spare the list the details of the arguments I've had with
people here on on "it's their e-mail address", "no, it's
username at realm". Aside from when we started to permit people to
have their name as their e-mail address, and suddenly all the
documentation had to be changed because e-mail address no longer
worked for those that changed e-mail address. :-)

But if you try it with UPN and it works reliably then it would be
interesting to know.


Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list