force/require @domain/part

lejeczek peljasz at
Wed Jun 22 11:12:11 CEST 2016

On 21/06/16 15:02, A.L.M.Buxey at wrote:
> Hi,
>> Like when AD domain is / PRIVATE and radius will
>> absolutely need this. At the moment having configs constructed of
>> bits from wikis/howtos, both: "me at" and "me" get
>> authenticated.
> unlang.
> in fact, recent releases of the server come with many default policies which
> will do this sort of check/enforcement for you (because they are for eduroam!)
> either invoke the policy (call it by its name in the virtual server config) or use unlang directly
> int he authorize section eg
> 	  if( User-Name !~ /@/ ) {
>            	update reply {
>         	  		Reply-Message = "no realm defined"
>     	  	}
>     	  	reject
> 	  }
> alan
thanks guys,
Alan, when I try what you shared earlier it works, almost 
perfect, probably because my (unusual?) setup it fails in 
one place.
Here is what I'm hoping to achieve - local domain (freeipa's 
ldap) and samba being a client to an AD (all same one box)
Radius' a) ldap backend, b) ntlm/winbind backend to AD
Now radius authentication fails like I wanted, if auth 
request does not include @realm. Config (default) goes like 

   if (&User-Name !~ /$/i) {

I'm not trying it as in a policy yet.
It fails now for users like "me" which do exist in ldap 
(again, all local, locally freeipa ldap). I see ldap is 
being tried but then radius moves over to ntlm and fails.
Care to share more thoughts - I'll be grateful.

More information about the Freeradius-Users mailing list