choose proxy based on AD

David McPike davidmcpike at
Wed Sep 29 12:17:57 CEST 2010

Hello All,

We are in the process of migrating users from one AD tree to another.
The migrated accounts will exist in both AD directories for a while
(usernames will not change) and I need to be able to choose a radius
server based on an LDAP group membership.  I have this working fine
for cases where users do not supply a realm but I am not sure of the
best way to do this for users that do supply an ntdomain-style realm.
In the new domain, no one requires a realm (need to strip if the user
has already been migrated), while the old domain has several child
domains.  I am using FR 2.1.10.

I was not successful trying to change the proxy server after one had
already been chosen.  I tried to remove the Realm attribute in the
authorize section but the request still went to the initially chosen
radius pool.

I tried stripping the realm manually prior to realm processing in
authorize {} but have not been successful yet.  I am using a simple
regex like this:
if (User-Name =~ /^[A-z]+\\(.*)/) {
    update request {
        Stripped-User-Name := "%{1}"

This always fails for 'radtest realm\\user'.

Am I missing something or is there a more elegant way to accomplish this?

Thanks very much,

More information about the Freeradius-Users mailing list