addition to policy.conf

Phil Mayers p.mayers at
Mon Jun 4 11:30:31 CEST 2012

On 06/02/2012 10:34 PM, alan buxey wrote:

> cheers - some peoples styles differ. I will test/verify the other operation.
> I'm also keen on those who can supply combined REGEX foo - such as making a single

We use the following:

if (User-Name =~ /^([^@]*)@([-A-Z0-9]+(\\.[-A-Z0-9]+)+)$/) {
   update request {
     Stripped-User-Name := "%{1}"
     Realm := "%{toupper:%{2}}"
else {
   update control {
     Reply-Message := "username is not RFC2486 compliant"

A few things to note about this regexp:

  1. It doesn't check any syntactic validity of the username part; just 
the realm. I'm not confident enough that an inclusive list e.g. 
a-zA-Z0-9 is "safe" for usernames; especially since in theory they're UTF-8

  2. It will allow realms of the form -a.-b.-c because I just use a 
single range for all characters in the realm.

  3. It doesn't blacklist any common typos e.g.,, etc. I'm 
not certain this is a sensible thing for end sites to do; bogon lists 
have a nasty habit of getting stale unless they're fed from a central 
source in a totally automated fashion. I know AlexC was keen on 
rlm_is_realm_in_dns (or something) but equally that prevents people 
having legit realms that aren't resovable (either publicly or at all)

> check for e.g. begins with . or ends with .   (or would people prefer each rule
> to be seperate so that locally they could easily just comment out a rule that wouldnt
> apply to them?)

Ideally, it should be so simple that no-one ever has cause to do 
anything other than enable the policy.

Separate entries allow for more granular reply-message values I guess.

More information about the Freeradius-Devel mailing list