FreeRADIUS Version 3.0.4 I wish to modify the User-Name attribute in access-requests by appending the realm, but if I do that, FreeRADIUS refuses to proxy the request. I added the following to /etc/raddb/sites-enabled/default: authorize { if("%{User-Name}" !~ /@/) { update request { User-Name := "%{User-Name}@uni.ac.uk" Realm := "eduroam" } ... radiusd -X output: Ready to process requests Received Access-Request Id 0 from 10.10.200.254:36488 to 10.10.2.53:1812 length 148 User-Name = 'testuser' NAS-IP-Address = 6.71.67.224 Calling-Station-Id = '00-00-00-00-00-02' Called-Station-Id = '88-15-44-47-43-E0:TEST' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x0200000d01756e697431323334 Message-Authenticator = 0xca24c7b4bfe0fa73b421bc8c9c1e29a5 (0) Received Access-Request packet from host 10.10.200.254 port 36488, id=0, length=148 (0) User-Name = 'testuser' (0) NAS-IP-Address = 6.71.67.224 (0) Calling-Station-Id = '00-00-00-00-00-02' (0) Called-Station-Id = '88-15-44-47-43-E0:TEST' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = 'CONNECT 11Mbps 802.11b' (0) EAP-Message = 0x0200000d01756e697431323334 (0) Message-Authenticator = 0xca24c7b4bfe0fa73b421bc8c9c1e29a5 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) if ("%{User-Name}" !~ /@/) (0) EXPAND %{User-Name} (0) --> testuser (0) if ("%{User-Name}" !~ /@/) -> TRUE (0) if ("%{User-Name}" !~ /@/) { (0) update request { (0) EXPAND %{User-Name}@uni.ac.uk (0) --> testuser@uni.ac.uk (0) User-Name := "testuser@uni.ac.uk" (0) Realm := 'eduroam' (0) } # update request = noop (0) } # if ("%{User-Name}" !~ /@/) = noop (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = noop (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Request already has destination realm set. Ignoring (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 0 length 13 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Identity does not match User-Name, setting from EAP Identity (0) eap : Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> testuser@uni.ac.uk (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Identity does not match User-Name, setting from EAP Identity (0) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Suggestions greatly appreciated.