On 12/10/10 16:06, Mark Holmes wrote:
Hi all,
Currently when users connect to our WLAN they enter their username thus:- firstname.lastname@mydomain.ox.ac.uk
Is there a way I can strip everything after the @ out (ie the domain) - so they are forced to authenticate against the domain I specify.
Sure, a couple of different ways: 1. Define "mydomain.ox.ac.uk" as a realm in proxy.conf, enable "strip", add the "suffix" module to authorize, update any config to try the Stripped-User-Name attribute first: authorize { ... strip } modules { mschap { ntlm_auth = "... username=%{%{Stripped-User-Name}:-%{mschap:User-Name}}" } } 2. Write an unlang expression: authorize { if (User-Name =~ /^(.*)@(.*)/) { update request { User-Name := "%{1}" Realm := "%{2}" } if (Realm !~ /mydomain\.ox\.ac\.uk/i) { # invalid reject } } } Which is "better" will depend on exactly what you're trying to do. I use the former, but mostly for historical reasons. The latter may be somewhat more flexible.