Username not stripped in NPS

Alan DeKok aland at
Mon Feb 26 13:44:46 UTC 2024

On Feb 26, 2024, at 8:38 AM, Cristian Di Livio <cristian.dilivio at> wrote:
> I would like to configure wi-fi authentication with 802.1x with multiple
> realms and only one NPS (therefore only one active directory domain). For
> example:
> - AD domain ->
> - realms that can be used -> domain; otherRealm

  I don't know what that means.

  Is FreeRADIUS proxying to NPS?  What does the network look like?

> With PEAP traffic, NPS doesn't allow you to manipulate the realm so I can't
> use find and replace in NPS configuration.
> So I tried to send the stripped username from freeradius but the realm
> still arrives in the NPS with realm and it giving me the error that the
> domain does not exist.

  "I tried to do stuff and it didn't work".  Please read the documentation on how to ask good questions, and what information we need when you post to the list.

> Why the realm os sent even though I said to strip the username in the
> proxy.conf file?

  Read the debug output.  ALL of the documentation says to do this.

> Is there alternatively the possibility to do a find and replace in
> freeradius?

  You haven't described what you're doing.  So I have no idea.

  In general, you can't edit the User-Name when doing EAP.  Bad things happen.

  FreeRADIUS can talk to AD via Samba.  So why not just drop NPS, and use that?

  Alan DeKok.

More information about the Freeradius-Users mailing list