Strip off the domain part from the User-Name

Phil Mayers p.mayers at
Sat Mar 26 11:50:41 CET 2011

On 03/25/2011 10:09 PM, Robert Roll wrote:
>> If you just want to split username at realm into username and realm, you
>> should be able to use this in authorize section
>>                 if ("%{request:User-Name}" =~ /^(.*)@/) {
>>                         update request {
>>                                Stripped-User-Name := "%{1}"
>>                                 Realm := "%{2}"
>>                         }
>>                 }
>   Yes, thanks, and we may end up doing exactly that. However, I just
> point out that freeradius OBVIOUSLY already has the capability to do
> exactly this, so why re-invent the wheel ?

In fact, if you're just using variations of the username to signal 
different intent (an interesting idea in the context of vlan 
assignment), then you're actually doing something similar to old-style 
"hints" - the "hints" file that comes with the server has examples.

You can certainly use the "realm" module for this, and we used to do 
just that - but I've recently been convinced of the superiority of 
unlang, because you have a lot more control over the behaviour

If you're bothered by unlang making your radius policy too unwieldy, you 
can make use of "policy.conf" to write a virtual "module" e.g.:


policy {
   optional_realm {
     if (User-Name =~ /(.+)@(.+)/) {
         update request {
             Stripped-User-Name := "%{1}"
             Realm = "%{toupper:%{2}}"
      else {


authorize {
   if (updated) {
     update reply {
       Vlan := "%{ldap:... %{Realm} ...}"

>> As a side note, even if you only use freeradius locally (without any
>> external server to proxy to), using proxy can be useful if you have
>> multiple realms with different configurations. Using proxy you can
>> split the request into different virtual servers based on their realm.
>> --
>> Fajar
>    Yes, I do agree... As I said earlier, some of what I am doing is just to
> try and experiment and see what is possible.  I'm actually quite impressed
> with Freeradius and right now, we are still a ways from what I would consider
> any kind of final configuration...

In which case it's definitely worth trying the unlang approach, just to 
get familiar with the differences.

You can also of course do actual proxying, either to remote servers or 
other local virtual servers; just update the stuff above to also do:

  update control {
    Proxy-To-Realm := "..."

This is an area where unlang is superior - you might want the "realm" 
and "proxy-to-realm" to be completely different and related in ways 
non-obvious, and impossible to express in proxy.conf (e.g. via an SQL 

[1] Different for regexp realms, of course.

More information about the Freeradius-Users mailing list