Masquerading MSCHAPv2 User-Name?

David Herselman dhe at
Fri Feb 19 21:08:33 CET 2021

The following appears to work:
authorize {
    update request {FreeRADIUS-Client-Shortname = "%{Client-Shortname}"}
    if (User-Name =~ /^cccccct00001[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "davidh"}}
    if (User-Name =~ /^cccccct00002[cbdefghijklnrtuv]{32}$/) {update request {sAMAccountName = "philipo"}}
    if (&sAMAccountName) {
        update request {Yubikey-OTP = "%{User-Name}"}
        update control {Auth-Type := "YubiCHAP"}
    if (&sAMAccountName) {update request {User-Name := "%{sAMAccountName}"}}files
    if (&sAMAccountName) {update request {User-Name := "%{Yubikey-OTP}"}}

authenticate {
    Auth-Type YubiCHAP {

David Herselman


My next puzzle is how to call the yubikey module. I'd naively thought I could stick it in post-auth, to do some kind of late reject. Most probably need to spend some time trawling the web to find out how to trigger the yubikey auth after mschap...

More information about the Freeradius-Users mailing list