Hello, I am redeploying 3.0.8 on a new system using the same config files as my existing prod systems... but in the new system, I get this error... Username does have a dot in the realm... but the expression somehow fails... (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (User-Name != "%{tolower:%{User-Name}}") { (0) EXPAND %{tolower:%{User-Name}} (0) --> *georgetown_test@eduroamus.edu <georgetown_test@eduroamus.edu>* (0) if (User-Name != "%{tolower:%{User-Name}}") -> FALSE (0) if (User-Name =~ / /) { (0) if (User-Name =~ / /) -> FALSE (0) if (User-Name =~ /@.*@/ ) { (0) if (User-Name =~ /@.*@/ ) -> FALSE (0) if (User-Name =~ /\\.\\./ ) { (0) if (User-Name =~ /\\.\\./ ) -> FALSE (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) { (0) * if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) -> TRUE* (0) if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) { (0) update reply { (0) Reply-Message += "*Rejected: Realm does not have at least one dot separator*" (0) } # update reply = noop (0) [reject] = reject (0) } # if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) = reject (0) } # policy filter_username = reject (0) } # authorize = reject (0) Using Post-Auth-Type Reject In the config, the rule looks like so: sudo grep -A4 -B5 -r "dot separator" /etc/raddb /etc/raddb/policy.d/filter- # must have at least 1 string-dot-string after @ /etc/raddb/policy.d/filter- # e.g. "user@site.com" /etc/raddb/policy.d/filter- # /etc/raddb/policy.d/filter- if ((User-Name =~ /@/) && (User-Name !~ /@(.+)\\.(.+)$/)) { /etc/raddb/policy.d/filter- update reply { /etc/raddb/policy.d/filter: Reply-Message += "Rejected: Realm does not have at least one dot separator" /etc/raddb/policy.d/filter- } /etc/raddb/policy.d/filter- reject /etc/raddb/policy.d/filter- } /etc/raddb/policy.d/filter- Thanks, Mohamed.