Change username for MSCHAPv2

Alan DeKok aland at
Fri Jun 30 19:25:26 CEST 2017

On Jun 30, 2017, at 11:53 AM, Gabriele Verzeletti <gabriele at> wrote:
> Hello, I have a freeradius 3.0.10-1.1 running on openSUSE leap.
> I need to authenticate users for WiFi access WPA2 Enterprise, using PEAP and MSCHAPv2 against Active directory.
> User account are identified by userPrinciplaName, but ntlm_auth is not able to authenticate using this attribute, it looks into samAccountName.

  ntlm_auth just passes data from FreeRADIUS to AD.  If the user is being rejected, it's not because of ntlm_auth. 

> With an external script I'm able to performa a query on active directory and retrieve the samAccountName, but if I update the attribute User-Name using
> authorize {
>     update request {
>        User-Name := `/path/to/my/script '%{User-Name}'`
>    }

  Don't edit the User-Name.  It's wrong.

  You also don't need to run a script to do this.  FreeRADIUS can do LDAP queries natively.
> I have an error in the log
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   authenticate {
> (0) eap: Identity does not match User-Name, setting from EAP Identity
> (0) eap: Failed in handler
> (0)     [eap] = invalid
> (0)   } # authenticate = invalid


  In the short term, you can do:

authorize {
	update request {
		Stripped-User-Name :=  `/path/to/my/script '%{User-Name}'`

  And be sure that the configuration line which runs ntlm_auth uses Stripped-User-Name.

  Alan DeKok.

More information about the Freeradius-Users mailing list