add realm to user based on NAS-IP

Arran Cudbard-Bell A.Cudbard-Bell at
Sun Apr 1 12:52:06 CEST 2007

> Message: 1
> Date: Sat, 31 Mar 2007 18:11:46 +0200
> From: Alexander Papenburg <freeradius at>
> Subject: add realm to user based on NAS-IP
> To: FreeRadius users mailing list
> 	<freeradius-users at>
> Message-ID: <460E8842.5060302 at>
> Content-Type: text/plain; charset=ISO-8859-15; format=flowed
> Hi all,
> i wonder if it is possible to add a realm to a username based on the 
> NAS-IP the request come from.
> For instance:
> - user "abc" logs on router
> - router asks a freeradius proxy for user "abc"
> - freeradius-proxy recognize the ip and add "@realm" to the username and 
> proxy the request to another freeradius-server based on "realm"-entry 
> in proxy.conf
> Unfortunatly I found many "solutions" in the past 2 hours (like 
> proxy-to-realm, attr_rewrite, hints...), I cant't decide which is the 
> right one for me. %) So help would be much appreciated.
> Thanks in advance
> Alexander

If your using eap, you can't rewrite the username as then the username 
in the outer identity won't match the
one in the eap tunnel and eap message will be rejected by your radius 
home server. Unless at your home server you strip the realm part
of the user-name attribute off again

Your best bet for this is to use the users file and the proxy-to-realm 

so you'd have in the users file on your proxying radius server

DEFAULT NAS-IP-Address ==, Proxy-To-Realm = "MyRealm"
    User-Name = "%{User-Name}@MyRealm"

Then add these to your hints file on your home radius server (though you 
may have to rewrite them depending on the regex engine
your home server is using).

# Writes stripped username to use in authorization (user@|%|/domain)
DEFAULT User-Name =~ "^([[:alnum:]]*)(@|%|/)([[:alnum:].]*)$"
         User-Name = "%{1}"

# Wrties alternate stripped username to use in authorization (domain\\user)
DEFAULT User-Name =~ "^([[:alnum:].]*)\\\\\\\\([[:alnum:]]*)$"
         User-Name = "%{2}"

Hope this helps :)

More information about the Freeradius-Users mailing list