Modifying User-Name and User-Password attributes in a module

Stefan Winter stefan.winter at
Thu Apr 10 08:43:54 CEST 2008

> > update request {
> > 	User-Name := whatever
> > 	User-Password := wh4t3v3r
> > }
> >
> > in the pre-proxy section work? No need for a module then... And if I may
> > ask, why would you need to modify name and password for proxying? If it's
> > just about cutting out realms, there is an excellent realm module to do
> > that for you.
> Yes, I can do that for static modifications, but in my case I have to
> split the password and extract N bytes from it, which is a One-time
> password for 2 factor authentication. I have to receive AUTH_ACK from
> main radius server using the original password and then process the
> second authentication stage with a 2 factor authentication manager using
> that N bytes long OTP. (Connecting to 2FA server, sending OTP and
> receiving result) This is why I need to do it in a module.

unlang can do WAY more than just static replacements. Use a regular 

if ( %{request:User-Password} =~ (.*)(......) ) update request {
	User-Password := %{2}

... or something close to that. My syntax may be imperfect, maybe someone can 
provide a more bullet-proof/correct one. 

This here is supposed to mean: if the password is at least 6 characters long, 
change the password so that it only is those last six characters (%{1} would 
be: only the first part, without the trailing OTP).
If it is less than six, this expression does nothing. I guess in your scenario 
you would want to discard those outright, because they don't contain a valid 
OTP. Add another rule for this case then. I'm ssuming your "N" to be = 6 
because that's a common length for OTPs. Put more/less dots at the end of the 
regexp if you have a different setup.

> Now, any ideas on which of the user-password vp's I have to change ?

I'm trying to prepare you for the tough conclusion that you may not need any 
code changes here at all. That's why I changed the recipient to -users, 
not -devel.

> I know this is ugly. So, If I define my own attributes, is it necessary
> for main RADIUS server (which we proxy to) to have modified dictionary
> files ? or it will simply ignore those unknown attributes ?

It should. See RFC2865 section 5.26 and RFC5080 section 2.5 for details. But, 
to be honest, the pragmatically best approach is: TRY IT. Define a VSA, send 
it, and look what happens.


Stefan Winter


Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: stefan.winter at     Tel.:     +352 424409-1                Fax:      +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the Freeradius-Devel mailing list