Need help with FreeRADIUS stripping NT domain name from usernames

Alan DeKok aland at
Mon Aug 2 13:55:10 CEST 2021

On Aug 2, 2021, at 7:28 AM, Nazar Tareyev via Freeradius-Users <freeradius-users at> wrote:
> Is there a FreeRADIUS professionals or experienced admins? I need help with stripping domain name from username. I've inherited this FreeRADIUS installation from previous admin and struggling to understand how it was configured in full. But as I see, stripping and policy config is pretty much default, nothing changed there.
> Users in our network use DOMAIN\Username format. When they log on with just username, authorization works as needed. When they use DOMAIN\Username, radius rejects login request.

  The rejection below is for a different reason.  But you still have to fix the DOMAIN issue.

> How do I configure FreeRADIUS to allow both username and DOMAIN\Username formats to be used? How do I strip DOMAIN\ from username?

  See the default configuration, which already does this:

* list DOMAIN in proxy.conf, so that the server knows about it:


* then edit sites-available/default.  Look for "ntdomain".  It should be listed after the "suffix" line.  Uncomment "ntdomain".

> ...
> (9) eap_peap: <<< recv TLS 1.2  [length 0002]
> (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> (9) eap_peap: ERROR: TLS_accept: Failed in error
> (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
> (9) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
> (9) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure

  That's why authentication is failing.  The client doesn't know about the servers CA certificate.  Follow the docs to get EAP working.  My site has lots of documentation:

  Alan DeKok.

More information about the Freeradius-Users mailing list