How to cut the realm from a username before it is sent to authenticateagainst ldap with ttls/pap

[Ivan Kalik]

>1. How could I get a username/password authenticated against ldap
>without its realm if there is one(i.e. cut away the realm @something.ca)?

ldap filter is set up to use Stripped_user_Name by default. If realm is
defined this will work. If it's an unknown realm it won't be stripped.

>I used Freeradius 2.0.5. We need this to see if:
>    * A user is a home user and log in from home NAS/AP (in this case he
>may not use any realm at all)

That works by default.

>    * or a user is a home user but log in from other colleage/university
>and proxied home by our  upper eduroam proxy server at the guest
>college/university

Configure your realm as a local realm in proxy.conf.

>    * or a user is a roaming user from other college/university and we
>need to proxy the request to the upper eduroam radius server and finally
>back to his home
>       college/university for authenticating.

Use DEFAULT realm in proxy.conf to send users from unknown realms to
"upper eduroam radius server".

>2. How could I get the client IP addresses to fill the "framedipaddress"
>field in the table raddacc?
>I used mysql as my accounting DB and the client ip addresses assigned by
>a dhcp server sitting in the LAN/VLAN.
>Now the field "framedipaddress" or "client-ip_address" is empty.

Your AP is most likely sending tha accounting Start packet before user
gets the IP address assigned. Delay sending of the Start packet for a
few seconds (if there is such a setting) or use accounting updates.

Ivan Kalik
Kalik Informatika ISP