Stripping the domain from the username

Alan DeKok aland at
Mon Jan 13 00:56:19 CET 2020

On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <stuart at> wrote:
> Thank you for your reply. I have made the change you suggested and (in
> my novice view) there now appears to be more progress than before.

  That's good, but...

> I completely appreciate that it's an old build, but it was included
> with an older version of macOS Server and I'm trying to get things
> working before I attempt to update anything. It relies on an Apple
> module 'opendirectory', which is responsible for querying the
> directory service running on the Mac server, and so I don't want to
> change anything yet until I can get things going. I certainly take
> your point on board though and will look to update to 2.2.10 as soon
> as possible.


> Here is the latest debug output after making the change you suggested.
> If I am interpreting this correctly, the 'radiustest at'
> username is being stripped and passed to the directory server during
> request 0:

  The User-Name is used to create a Stripped-User-Name attribute.  The User-Name is *not* edited.  This is important.

  Also, the "opendirectory" module is looking at Stripped-User-Name for user lookups.  This is fine.

> [opendirectory] User radiustest exists in OD
> [opendirectory] User radiustest is a member of the RADUIS SACL
> but by the time it gets to request 6 it is using the full username
> rather than the portion before the @:
> [mschap] Creating challenge hash with username: radiustest at
> [mschap] Client is using MS-CHAPv2 for radiustest at, we
> need NT-Password
> [mschap] Using OpenDirectory to authenticate
> [mschap] Unable to find record radiustest at in OD
> [mschap] Authentication failed for radiustest at
> ++[mschap] = fail

  Yes.  "radiustest at" doesn't exist in OD.

  However, you should know that the MS-CHAP calculations are done on the full User-Name that is passed to FreeRADIUS.  You *cannot* pass just a portion of the User-Name to OpenDirectory and expect the MS-CHAP calculations to work.  They won't.

> At this point the directory server is seeing a request for
> radiustest at and rejecting it because of course the
> username in that format does not exist. Do I need to change anything
> so that the mschap module is creating the challenge hash with
> 'radiustest' rather than 'radiustest at', or am I barking
> up the wrong tree?

  What you want to do is impossible.

  OpenDirectory won't give FreeRADIUS the users password, so that FreeRADIUS can do the MS-CHAP calculations.

  OpenDirectory won't automatically look up just the "radiustest" portion of the users name, BUT use the whole "radiustest at" for the MS-CHAP calculations.

  Your options are:

a) do PEAP with plain usernames, i.e. "radiustest" and not "radiustest at"

b) put the users password into a database that FreeRADIUS can read.

  Alan DeKok.

More information about the Freeradius-Users mailing list