Normalising the User-Name AVP in an Access-Accept
Alan DeKok
aland at deployingradius.com
Thu Apr 18 16:51:38 CEST 2013
Nick Lowe wrote:
> I am curious if it is possible today with FreeRADIUS to normalise the
> identity that is returned in the User-Name AVP in an Access-Accept?
Yes. You can do pretty much anything you want.
> RFC 2865 states in Section 5.1:
>
> [The User-Name AVP] MAY be sent in an Access-Accept packet, in which
> case the client SHOULD use the name returned in the Access-Accept
> packet in all Accounting-Request packets for this session.
Well... not all NASes do that, of course.
> So, a compliant NAS that is able to treat the User-Name AVP as being
> authoritative would get to see the real, inner identity and in a
> normalised form.
>
> Is this possible?
Yes. I suggest writing down all possible *input* variants of the
User-Name. Then, determine what you want as output. And figure out how
to get from one to the other. i.e. "foo" -> "foo at example.com",
"foo\EXAMPLE" --> "foo at example.com".
Once you have all of those mappings, just write "unlang" policies to
check one after the other, and do the re-writing.
Most of the time, you can write policies down in plain English, and
convert them to unlang.
Alan DeKok.
More information about the Freeradius-Users
mailing list