Routing new RFC7542-style realms

Stefan Paetow Stefan.Paetow at
Sun Oct 2 20:55:22 CEST 2016

>  No, I mean *all* of the logic has to be in unlang.  Don't use the realm
>module at all.

Hmmm, to follow up on this... I've gotten it to route correctly, but on
the ultimate destination (i.e. at "realhome.realm"), I now get a message
saying that the EAP Identity does not match User-Name, which then
subsequently leads to failure. It's not quite unexpected since EAP keeps
track of what User-Name *should* be.

Well, the final bit that I came up with (using suffix) was this:

if (&User-Name =~ /([a-zA-Z0-9\-.]+)!(.+)/) {
	update control {
		Tmp-String-1 := "%{1}"
		Tmp-String-2 = &User-Name
	if ("%{2}" =~ /([a-zA-Z0-9\-.]*)@(.+)/) {
		update request {
			User-Name := "%{1}@%{control:Tmp-String-1}"
suffix {
	updated = 1
	noop = reject
if (&control:Tmp-String-2) {
	update request {
		User-Name := &control:Tmp-String-2
	update control {
		Tmp-String-1 !* ANY
		Tmp-String-2 !* ANY

It works on both the sending as well as the receiving end. :-)

With Regards

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.


More information about the Freeradius-Users mailing list