Stripped-User-Name Problems (Re: Unmatched ( or \(, and, ?more?broadly, setting Stripped-User-Name)

Alexander Clouter alex at
Fri Jul 15 16:49:34 CEST 2011

Phil Mayers <p.mayers at> wrote:
>>Unfortunately, when you set nostrip in the config, it doesn't add a
>>Stripped-User-Name attribute to the request, but when you unset it,
>>rlm_realms adds a Stripped-User-Name attribute and also updates the
>>User-Name attribute to the same value.  
> I am 90% sure that's not what rlm_realm does. We use unlang to process 
> realms now, but I am certain we used it with nostrip and it left the 
> original User-Name intact and populated Stripped-User-Name.
You are right, we use rlm_realm and it leaves User-Name unadulterated.

This sounds like maybe the *inner* auth User-Name is realmless and 
making it's way out into outer.reply.  When you use 'User-Name' in 
post-auth{} you will get reply:User-Name rather than request:User-Name 
if I remember correctly.

The fix is to *reject* inner-authentications that are realm-less.


Alexander Clouter
.sigmonster says: You are the only person to ever get this message.

More information about the Freeradius-Users mailing list