I'm getting a request denied because the username matches \.\., but I don't see why that should be true Thread 3 handling request 0, (1 handled so far) (0) Received Access-Request Id 0 from 127.0.0.1:53392 to 0.0.0.0:2083 length 130 (0) User-Name = '@apc.painless-security.com' (0) GSS-Acceptor-Service-Name = 'trustidentity' (0) GSS-Acceptor-Host-Name = 'hartmans.local' (0) EAP-Message = 0x0200001f01406170632e7061696e6c6573732d73656375726974792e636f6d (0) Message-Authenticator = 0xc977441e8dda36e128cbd617a7f16ed1 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/abfab-tr-idp (0) authorize { (0) policy psk_authorize { (0) if (tls-psk-identity =* ANY) { (0) if (tls-psk-identity =* ANY) -> FALSE (0) } # policy psk_authorize = notfound (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> TRUE (0) if (&User-Name =~ /\.\./ ) { (0) update reply { (0) &Reply-Message += 'Rejected: Username contains ..s' (0) } # update reply = noop (0) [reject] = reject (0) } # if (&User-Name =~ /\.\./ ) = reject (0) } # policy filter_username = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/freeradius/sites-enabled/abfab-tr-idp (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> @apc.painless-security.com (0) attr_filter.access_reject: Matched entry DEFAULT at line 18 (0) [attr_filter.access_reject] = updated (0) if &reply:Eap-Message { (0) if &reply:Eap-Message -> FALSE (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1.000000 seconds Thread 3 waiting to be assigned a request Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 0 from 0.0.0.0:2083 to 127.0.0.1:53392 length 53 (0) Reply-Message += 'Rejected: Username contains ..s' Waking up in 3.9 seconds. Closing TLS socket from client port 53392 (0) >>> TLS 1.0 Alert [length 0002], warning close_notify Client has closed connection Waking up in 3.9 seconds.