Normalising the User-Name AVP in an Access-Accept

Nick Lowe nick.lowe at
Thu Apr 18 17:06:55 CEST 2013

Thanks, Alan!

I have got a feature request with Aerohive, our wireless vendor, to
support treating the User-Name AVP as being authoritative which they
are being pretty receptive and responsive to.

(I think RADIUS clients need to stop treating the outer identity as
being authoritative if and where a User-Name is returned in the
Access-Accept now that TLS based EAPs are the norm and we should have
far more of an aggressive push to get vendors to implement this.)

It would be great if, rather than manually having to create mappings
and rewrite the identity, having successfully performed authentication
FreeRADIUS were able to inherently spit out the identity in a
normalised form knowing the username and the realm. (Perhaps I am not
thinking things through here properly though for the general case



More information about the Freeradius-Users mailing list