Update User-Name

Alan DeKok aland at deployingradius.com
Sat Sep 9 19:03:24 CEST 2017


On Sep 9, 2017, at 10:11 AM, Dale Lloyd <dale.lloyd at gmail.com> wrote:
> 
> FreeRADIUS Version 3.0.4

  You should really use 3.0.15.

> I wish to modify the User-Name attribute in access-requests by
> appending the realm, but if I do that, FreeRADIUS refuses to proxy the
> request.

  No... read the debug output.  The error is something else.

> I added the following to /etc/raddb/sites-enabled/default:
> 
> authorize {
> 
> if("%{User-Name}" !~ /@/) {
>        update request {
>                User-Name := "%{User-Name}@uni.ac.uk"
> Realm := "eduroam"
>        }

  The better question is why do you think this is necessary?

  If they're your users, then you should authenticate them.  You don't need to edit the User-Name.  You don't need to proxy.

  Or, if you do proxy, you can just set Proxy-To-Realm:

	if("%{User-Name}" !~ /@/) {
		update control {
			Proxy-To-Realm := "my-other-server"
		}
	

> radiusd -X output:
> 
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   authenticate {
> (0)  eap : Identity does not match User-Name, setting from EAP Identity
> (0)  eap : Failed in handler
> (0)   [eap] = invalid
> (0)  } #  authenticate = invalid
> (0) Failed to authenticate the user
> (0) Using Post-Auth-Type Reject

  That doesn't say "refused to proxy the request".  The message is English, and should be clear.

> Suggestions greatly appreciated.

  Describe the problem you're trying to solve.  Don't ask why your proposed solution doesn't work.

  There are likely many other ways of getting the same result.

  Alan DeKok.





More information about the Freeradius-Users mailing list