Normalising the User-Name AVP in an Access-Accept
nick.lowe at gmail.com
Thu Apr 18 16:24:22 CEST 2013
I am curious if it is possible today with FreeRADIUS to normalise the
identity that is returned in the User-Name AVP in an Access-Accept?
Hypothetically, lets say that a client uses the PEAP EAP type and logs
in successfully using an inner-identity of its choosing in a valid
format. For example, it could be of any of the following forms:
foo at example
foo at example.com
foo (where the default domain is configured)
What I want to achieve is that the value returned in the User-Name AVP
in the Access-Accept always be sent in lower case and in a fully
qualified, normalised format in the form foo at example.com back to the
RFC 2865 states in Section 5.1:
[The User-Name AVP] MAY be sent in an Access-Accept packet, in which
case the client SHOULD use the name returned in the Access-Accept
packet in all Accounting-Request packets for this session.
RFC 3579 states in Section 3:
The User-Name attribute within the Access-Accept packet need not be
the same as the User-Name attribute in the Access-Request.
So, a compliant NAS that is able to treat the User-Name AVP as being
authoritative would get to see the real, inner identity and in a
Is this possible?
More information about the Freeradius-Users