addition to policy.conf

Alan Buxey A.L.M.Buxey at
Tue Jun 5 19:19:57 CEST 2012

At least RFC 4282 which takes over the one you stated.

I still believe it is good to separate it out to comprehensible checks as that will allow further enhancements/future changes to be trivial...and for less skilled admin to understand what it does

On a bad day, more than 60% of our failed logins are due to duff realms with non-real format :(


----- Reply message -----
From: "Brian Candler" <B.Candler at>
Date: Tue, Jun 5, 2012 18:35
Subject: addition to policy.conf
To: "FreeRadius developers mailing list" <freeradius-devel at>

On Mon, Jun 04, 2012 at 10:31:10PM +0200, Stefan Winter wrote:
> Hi,
> > In that case though, I would be inclined to write a validation regexp
> > which fully matches the ABNF in RFC 2486.
> Elsewhere in the thread I presented arguments why a full check is a bad
> idea.
> Do you have arguments to back up your "inclinedness" or is it just a gut
> feeling?

Only a gut feeling of "either enforce RFC 2486, or don't". Anything else
seems to be a kludge to me.

Has anyone actually *measured* what proportion of their failed logins are
due to usernames containing two dots, or realms which start or end with a
dot, or the other things the OP's regexp tests rejected?
List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Devel mailing list