Routing new RFC7542-style realms

Alan DeKok aland at
Mon Oct 3 16:47:51 CEST 2016

On Oct 2, 2016, at 2:55 PM, Stefan Paetow <Stefan.Paetow at JISC.AC.UK> wrote:
>> No, I mean *all* of the logic has to be in unlang.  Don't use the realm
>> module at all.
> Hmmm, to follow up on this... I've gotten it to route correctly, but on
> the ultimate destination (i.e. at "realhome.realm"), I now get a message
> saying that the EAP Identity does not match User-Name, which then
> subsequently leads to failure. It's not quite unexpected since EAP keeps
> track of what User-Name *should* be.

  Yes.  The solution is to not mangle the User-Name.

  Which means that the home server *must* have the following logic:

	if Realm == "" &&
	   Packet-Src-IP-Address == {
		look for "realm2|user at ..."

  I'll put this into my ongoing "RADIUS proxy issues" document.

  Alan DeKok.

More information about the Freeradius-Users mailing list