Removing domain name in freeradius
Phil Mayers
p.mayers at imperial.ac.uk
Tue Oct 12 17:43:03 CEST 2010
On 12/10/10 16:06, Mark Holmes wrote:
> Hi all,
>
> Currently when users connect to our WLAN they enter their username thus:- firstname.lastname at mydomain.ox.ac.uk
>
> Is there a way I can strip everything after the @ out (ie the domain) - so they are forced to authenticate against the domain I specify.
Sure, a couple of different ways:
1. Define "mydomain.ox.ac.uk" as a realm in proxy.conf, enable
"strip", add the "suffix" module to authorize, update any config to try
the Stripped-User-Name attribute first:
authorize {
...
strip
}
modules {
mschap {
ntlm_auth = "...
username=%{%{Stripped-User-Name}:-%{mschap:User-Name}}"
}
}
2. Write an unlang expression:
authorize {
if (User-Name =~ /^(.*)@(.*)/) {
update request {
User-Name := "%{1}"
Realm := "%{2}"
}
if (Realm !~ /mydomain\.ox\.ac\.uk/i) {
# invalid
reject
}
}
}
Which is "better" will depend on exactly what you're trying to do. I use
the former, but mostly for historical reasons. The latter may be
somewhat more flexible.
More information about the Freeradius-Users
mailing list