Stripping the domain from the username

Stuart Ramdeen stuart at
Tue Jan 14 22:59:55 CET 2020

Hi Alan

Thanks for confirming that what we're trying to do just isn't possible. I
think I'm going to look into adding an alias to every user in the directory
that contains the username formatted as an email address so that OD is able
to successfully authenticate the user and the MS-CHAP calculations complete

Best wishes,

On Sun, 12 Jan 2020 at 23:56, Alan DeKok <aland at> wrote:

> On Jan 12, 2020, at 6:42 PM, Stuart Ramdeen <stuart at>
> wrote:
> >
> > Thank you for your reply. I have made the change you suggested and (in
> > my novice view) there now appears to be more progress than before.
>   That's good, but...
> > I completely appreciate that it's an old build, but it was included
> > with an older version of macOS Server and I'm trying to get things
> > working before I attempt to update anything. It relies on an Apple
> > module 'opendirectory', which is responsible for querying the
> > directory service running on the Mac server, and so I don't want to
> > change anything yet until I can get things going. I certainly take
> > your point on board though and will look to update to 2.2.10 as soon
> > as possible.
>   OK.
> > Here is the latest debug output after making the change you suggested.
> > If I am interpreting this correctly, the 'radiustest at'
> > username is being stripped and passed to the directory server during
> > request 0:
>   The User-Name is used to create a Stripped-User-Name attribute.  The
> User-Name is *not* edited.  This is important.
>   Also, the "opendirectory" module is looking at Stripped-User-Name for
> user lookups.  This is fine.
> > [opendirectory] User radiustest exists in OD
> > [opendirectory] User radiustest is a member of the RADUIS SACL
> >
> > but by the time it gets to request 6 it is using the full username
> > rather than the portion before the @:
> >
> > [mschap] Creating challenge hash with username: radiustest at
> > [mschap] Client is using MS-CHAPv2 for radiustest at, we
> > need NT-Password
> > [mschap] Using OpenDirectory to authenticate
> > [mschap] Unable to find record radiustest at in OD
> > [mschap] Authentication failed for radiustest at
> > ++[mschap] = fail
>   Yes.  "radiustest at" doesn't exist in OD.
>   However, you should know that the MS-CHAP calculations are done on the
> full User-Name that is passed to FreeRADIUS.  You *cannot* pass just a
> portion of the User-Name to OpenDirectory and expect the MS-CHAP
> calculations to work.  They won't.
> > At this point the directory server is seeing a request for
> > radiustest at and rejecting it because of course the
> > username in that format does not exist. Do I need to change anything
> > so that the mschap module is creating the challenge hash with
> > 'radiustest' rather than 'radiustest at', or am I barking
> > up the wrong tree?
>   What you want to do is impossible.
>   OpenDirectory won't give FreeRADIUS the users password, so that
> FreeRADIUS can do the MS-CHAP calculations.
>   OpenDirectory won't automatically look up just the "radiustest" portion
> of the users name, BUT use the whole "radiustest at" for the
> MS-CHAP calculations.
>   Your options are:
> a) do PEAP with plain usernames, i.e. "radiustest" and not "
> radiustest at"
> b) put the users password into a database that FreeRADIUS can read.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

Crossover Solutions Ltd
Pound House, 62A Highgate High Street, London, N6 
5HX <> • 020 3637 4655

Registered in England and Wales No: 9593204  Registered address as stated

Members of the Apple Consultants Network 

Please submit new support 
requests to support at 
<mailto:support at>

More information about the Freeradius-Users mailing list