Account preProcessing

tnt at kalik.net tnt at kalik.net
Wed Mar 25 01:31:51 CET 2009


>Currently my institution allows for registered users to create guest accounts for visitors to enable wireless access for the guest users (Wireless access is controlled via Captive Portal/PAP with a Kerberos Directory backend)..
>Registered users create the guest accounts using the guest users eMail address, such as Jdoe at gmail.com jdoe at hotmail.com etc etc etc.  This poses a slight problem though as the "@" sign is a reserved character for Kerberos and thus principles with the "@" cannot be created within our KDC.  To solve this problem the account generation application substitutes  the "@" for a "+" (so kerberos principles are created in the form jdoe+gmail.com jdoe+hotmail.com).
>If guest users remember to sub a "+" for their "@" all is well, however often times people forget this and get stuck wondering why their username jdoe at gmail.com is failing when they have been assured all is well.
>To completely eradicate this situation we would like to place a Freeradius instance in place of our proprietary radius solution and have it perform the substitution during authentication, so neither the Guest or registered user need concern themselves with the whole "@" "+" thing (so from their standpoint the principle is jdoe at gmail.com nice and easy... for them ;)
>I have been trying to determine the best way to accomplish this and would greatly appreciate any ideas as to how this may be completed.

Use regex to rewrite usernames with @ in them. You have some examples on
the wiki:

http://wiki.freeradius.org/Adding%2C_Removing%2C_Modifying_Attributes_for_further_processing

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list