Normalising the User-Name AVP in an Access-Accept

Alan DeKok aland at
Thu Apr 18 16:51:38 CEST 2013

Nick Lowe wrote:
> I am curious if it is possible today with FreeRADIUS to normalise the
> identity that is returned in the User-Name AVP in an Access-Accept?

  Yes.  You can do pretty much anything you want.

> RFC 2865 states in Section 5.1:
> [The User-Name AVP] MAY be sent in an Access-Accept packet, in which
> case the client SHOULD use the name returned in the Access-Accept
> packet in all Accounting-Request packets for this session.

  Well... not all NASes do that, of course.

> So, a compliant NAS that is able to treat the User-Name AVP as being
> authoritative would get to see the real, inner identity and in a
> normalised form.
> Is this possible?

  Yes.  I suggest writing down all possible *input* variants of the
User-Name.  Then, determine what you want as output.  And figure out how
to get from one to the other.  i.e. "foo" -> "foo at",
"foo\EXAMPLE" --> "foo at".

  Once you have all of those mappings, just write "unlang" policies to
check one after the other, and do the re-writing.

  Most of the time, you can write policies down in plain English, and
convert them to unlang.

  Alan DeKok.

More information about the Freeradius-Users mailing list