Normalising the User-Name AVP in an Access-Accept

Phil Mayers p.mayers at
Thu Apr 18 17:21:11 CEST 2013

On 18/04/13 16:06, Nick Lowe wrote:
> Thanks, Alan!
> I have got a feature request with Aerohive, our wireless vendor, to
> support treating the User-Name AVP as being authoritative which they
> are being pretty receptive and responsive to.
> (I think RADIUS clients need to stop treating the outer identity as
> being authoritative if and where a User-Name is returned in the
> Access-Accept now that TLS based EAPs are the norm and we should have
> far more of an aggressive push to get vendors to implement this.)

IME it's fairly widely supported (but not exclusively, of course)

> It would be great if, rather than manually having to create mappings
> and rewrite the identity, having successfully performed authentication
> FreeRADIUS were able to inherently spit out the identity in a
> normalised form knowing the username and the realm. (Perhaps I am not
> thinking things through here properly though for the general case
> though...)

I think the problem is that there's no generally "right" answer.

For example: if you are part of a roaming federation and your users use 
anonymous outer ID, you want to preserve that anonymity (or possibly 
fall foul of data protection legislation, depending on whether a 
username is "personal data").

More information about the Freeradius-Users mailing list