Masquerading MSCHAPv2 User-Name?

Alan DeKok aland at
Mon Feb 15 16:39:43 CET 2021

On Feb 15, 2021, at 10:11 AM, David Herselman via Freeradius-Users <freeradius-users at> wrote:
> We unfortunately have network devices which exclusively support MSCHAPv2 but have had excellent success using freeradius 3.0.17 with Samba Winbind.

  That's good.

> I presume freeRADIUS has built-in support to masquerade the presented username, as the mschap config file references the following:
> winbind_username = "%{mschap:User-Name}"
> winbind_domain = "%{mschap:NT-Domain}"

  I'm not sure what you mean by "masquerade the presented username".  That is not at all common terminology.

> I'm aware of MS-CHAPv2 proving knowledge of the password and previously assumed that it only applied to the password hash exchanges. My Google-Fo however lead me to an article titled Understanding PEAP In-Depth, where values initiators and radius generate is summarised as:

  That is *way* down into technical details.  I'd suggest instead describing what you want to do.  Use simple descriptions.

> I presume FR generates the AuthenticatorResponse after obtaining the NTResponse from winbind, after feeding it winbind_username?


> If that is the case, would it be feasible to replace winbind_username and have FR handle all the wizardry?

  See above.  winbind is there for a reason.  We don't add features just to be sexy.  They all have a reason.

> I'd like to essentially transform a MSCHAPv2 client using USERNAME/PASSWORD to winbind authenticating this as USER2/PASSWORD.

  It's impossible.  It's designed to be impossible.  Not by us, but by the people who designed MS-CHAP in the first place.  It's been this way for 20+ years.

  If this was possible, then FreeRADIUS would ship with an example configuration which shows how to do this.

> Why? I was hoping to implement 2FA by using my AD password as per normal, only replacing my username with the 44 char string that a YubiKey touch operation spits out via the USB HID keyboard. The prefix of this string is a globally unique 12 character fixed ID, unique to each key. This way I could lookup the username prefix in a file and then set winbind_username as the AD account name that key belong to. Thought process was to reject requests were the prefix wasn't found, then authenticate to AD using the username we looked up, check group membership and finally validate the Yubico OTP (the username supplied originally) against YubiCo validation servers.

  FreeRADIUS can split strings into pieces, and look those pieces up in files.  It can check passwords against multiple back-ends.

  But I have no idea what this has to do with MS-CHAP.

  If FreeRADIUS gets a clear-text AD password, it can just check that password against AD, using LDAP.  There's no need to use MS-CHAP or winbind.

  Alan DeKok.

More information about the Freeradius-Users mailing list