choose proxy based on AD

David McPike davidmcpike at
Thu Sep 30 17:40:59 CEST 2010

>> In other words, if I proxy to the old radius server, the username
>> needs to be realm\user again.
>  Set "nostrip" in the realm configuration.

I finally have a solution.  I wanted to keep strip enabled because I
have to perform the LDAP query on the stripped username.  So, I added
the following logic to pre-proxy {}:

# non-migrated old child domain user
if ("%{control:Proxy-To-Realm}" != "newrealm" && Realm) {
    update proxy-request {
        User-Name := "%{Stripped-User-Name}@%{Realm}"

This allows me to authenticate all child domain users from a single
old parent domain controller instead of having IAS servers installed
in every child domain.

I just had to re-read the unlang man page enough times to get all the pieces.

Thanks for all your help!

More information about the Freeradius-Users mailing list