Masquerading MSCHAPv2 User-Name?

Alan DeKok aland at
Thu Feb 18 02:01:36 CET 2021

On Feb 17, 2021, at 2:54 PM, David Herselman <dhe at> wrote:
> I'm surprised by your response as I can update mods-available/mschap to set 'winbind_username = "davidh"'

  winbind is not MS-CHAP.  Winbind is (essentially) the database query used to verify the MS-CHAP information.

  The "winbind_username" field is *not* used in any part of the MS-CHAP calculation.  As I said.

  TBH, I'm rather surprised that you ask questions, and then argue with the answers.  Are you that aware of the details of each protocol, that you can authoritatively argue against someone who's been doing this for 20 years?

> and then successfully login via MS-CHAPv2 by entering the password for davidh, but providing an alternate username:

  It doesn't matter.

  I can put the users password into an LDAP entry for user with the name "I_like_to_eat_pizza".  That name has nothing whatsoever to do with the MS-CHAP calculations.

  Try this with the "users" file.   Add this to the top of the "users" file:

DEFAULT Cleartext-Password := "hello"

  Then log in as ANY other user (e.g. "bob"), using MS-CHAP, and the password "hello".  Use "radclient" or "radtest" to do this.

  What will happen?  The user will be authenticated.  But if the entry in the "users" file is for DEFAULT, how can this possibly work?

  Answer:  if you understand the system, the answer is obvious.

> I presume FR therefor does have the ability to transform/replace/masquerade

  Stop using the term "masquerade".  It's wrong.  I already told you that it's not correct terminology.  Your repeated use of it shows that you don't know how things work.  And worse, that you''re resisting the suggestion to learn.

  You're asking questions using terms you've invented, and are then arguing with the answers.  This is generally a good approach if you want to confuse and annoy people.  I suggest not doing this.

> the presented username when using MS-CHAPv2. Just in case andrewr and davidh happen to hash to the same value, I tried with the OTP generated by a press of a YubiKey:

  Whatever question you're asking is unrelated to the tests you're doing.

  Stop inventing terms.  Stop doing irrelevant tests.  Put some effort into understanding the system.

  I still have no idea what you're really trying to do.  In large part because you're not describing it using simple, common, terms.  You're not saying what the RADIUS server receives, what's in the DB, what keys are used for lookups, etc.  You just keep repeated "I want to masquerade the user name for MS-CHAP", as if repetition will get your point across.

  It won't.

  Alan DeKok.

More information about the Freeradius-Users mailing list