All, A few facts first;
Windows seems to "know" about both DOM\user and [EMAIL PROTECTED] formats for usernames; when generating an mschap response, it only ever user the "user" portion. ntlm_auth seems to take *exactly* what you put into the command line; that is, it does NO stripping of DOM\user or [EMAIL PROTECTED] rlm_mschap registers several expansions, including mschap:User-Name - this particular expansion performs the following transforms: host/name.dom.example.org -> name$ DOM\user -> user I'm wondering if it would be sensible to add the following transform to the above list: [EMAIL PROTECTED] -> user The rationale being thus: if you want to support both prefix and suffix forms of the realm *and* machine based auth, you have to use the slightly non-intuitive syntax: ntlm_auth --username=%{Stripped-User-Name:-%{mschap:User-Name}} and have : modules { realm suffix { format = suffix delimiter = "@" ignore_null = yes } realm ntdomain { format = prefix delimiter = "\" ignore_null = yes } } authorize { preprocess prefix suffix mschap } If the @suffix transform were in mschap, it would be possible to dispense with the realm modules entirely, and just use: ntlm_auth --username=%{mschap:User-Name} Comments? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html