Normalising the User-Name AVP in an Access-Accept

Nick Lowe nick.lowe at
Thu Apr 18 16:24:22 CEST 2013

Dear All,

I am curious if it is possible today with FreeRADIUS to normalise the
identity that is returned in the User-Name AVP in an Access-Accept?

Hypothetically, lets say that a client uses the PEAP EAP type and logs
in successfully using an inner-identity of its choosing in a valid
format. For example, it could be of any of the following forms:

foo at example
foo at
foo (where the default domain is configured)

What I want to achieve is that the value returned in the User-Name AVP
in the Access-Accept always be sent in lower case and in a fully
qualified, normalised format in the form foo at back to the

RFC 2865 states in Section 5.1:

[The User-Name AVP] MAY be sent in an Access-Accept packet, in which
case the client SHOULD use the name returned in the Access-Accept
packet in all Accounting-Request packets for this session.

RFC 3579 states in Section 3:

The User-Name attribute within the Access-Accept packet need not be
the same as the User-Name attribute in the Access-Request.

So, a compliant NAS that is able to treat the User-Name AVP as being
authoritative would get to see the real, inner identity and in a
normalised form.

Is this possible?



More information about the Freeradius-Users mailing list