Change username for MSCHAPv2

Gabriele Verzeletti gabriele at
Fri Jun 30 17:53:19 CEST 2017

Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP 
and MSCHAPv2 against Active directory.
User account are identified by userPrinciplaName, but ntlm_auth is not 
able to authenticate using this attribute, it looks into samAccountName.
With an external script I'm able to performa a query on active directory 
and retrieve the samAccountName, but if I update the attribute User-Name 

authorize {
      update request {
         User-Name := `/path/to/my/script '%{User-Name}'`

I have an error in the log

(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Identity does not match User-Name, setting from EAP Identity
(0) eap: Failed in handler
(0)     [eap] = invalid
(0)   } # authenticate = invalid

Is there any way to perform this account translation before send request 
to EAP ?

Thanks to all

More information about the Freeradius-Users mailing list