Freeradius + AD authentication passing Domain+User

Enrico Polesel epol.lists at
Thu Jun 22 16:46:50 CEST 2017

Hi all,

On Thu, Jun 22, 2017 at 4:11 PM Alan DeKok <aland at>

> >
> > Sending Access-Request of id 220 to port 1812
> >        User-Name = "alejandro at <alcabrera at>"
>   Is the account in AD called "alejandro at"?  Or is it just
> alejandro ?
>   Again... if you're testing a user in AD, you just need to test with the
> username that's in AD.  There is simply no reason to do anything else.

Remember that AD has TWO usernames: the sAMAccountName (old style NetBios)
and the userPrincipalName (new style, kerberos), the latest also includes
the domain.

BUT windbind (and ntlm_auth) uses the sAMAccountName username, so be sure
to pass that name and not the new userPrincipalName.


More information about the Freeradius-Users mailing list