Routing new RFC7542-style realms

Stefan Paetow Stefan.Paetow at
Sun Oct 2 17:28:50 CEST 2016

>  If you have "realm1!user at realm2", then the packet MUST be routed by
>third parties to "realm2".  Because it is the domain name which appears
>after the "@".

Yep. That's all fine.

>  The existing "realm" module isn't smart enough to do this kind of
>double lookup.  Though I suppose it shouldn't be too hard to add (hint
>hint).  Just have it check for a realm, and if the realm is local, do
>*another* check for realm on the user portion.
>  It can be done manually in "unlang".  But it means replicating the
>logic in rlm_realm, and re-writing it unlang statements.

OK, I simply rewrite the User-Name *before* calling suffix? Because if I
do it after and then try to do something else like trying to get FR to
proxy it, I get 'Request already has destination realm set. Ignoring' (at
this point that's the realm to the right of the '@'). How do I reset that?

I have this in my authorize (after suffix):

if (&Stripped-User-Name ~= /[a-zA-Z0-9\-.]+)!(.+)/) {
    update request {
        User-Name := "%{2}@%{1}"
        Realm !* ANY

But then... Because it previously identified this as a local realm, it
then tries to do authentication locally...

Any suggestions are helpful.


Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.


More information about the Freeradius-Users mailing list