On Fri, Sep 13, 2013 at 12:23:47AM +0100, trevor obba wrote: > expand: --username=%{mschap:User-Name:-None} -> --username=t...@abc.ac.uk ... > Exec-Program output: Logon failure (0xc00004f)
> How can I fix the problem of authentication users that type > in there local realm @abc.ac.uk with their username as well as proxing eduroam > users? > Basically, how do I authenticate local user or stripe local > realm before pass to active directory for authentication? Use unlang to strip the realm off, something like this before the call to eap: if ("%{User-Name}" =~ /^([^@]*)(@([-[:alnum:].]+))?$/) { update request { Stripped-User-Name := "%{1}" } if ("%{3}") { update request { Realm := "%{3}" } } else { # this will reject requests that have no realm reject } } Then in your mschap module config use Stripped-User-Name instead of User-Name, e.g. ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk --username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Matthew -- Matthew Newton, Ph.D. <m...@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html