Applying the same rule to multiple values in an attribute/config value

Stefan Paetow Stefan.Paetow at
Tue Feb 12 00:27:23 CET 2019

> The Suffix module doesn't rewrite the User-Name, or the EAP identity.
> There's also the issue that re-writing User-Name without changing EAP identity is bad.  Most servers (including FreeRADIUS) will reject such packets.

Indeed. Hence the 'munging' of the User-Name (to ensure EAP Identity and User-Name are identical to the end).

> That's for non-EAP authentication, unfortunately.


> "foreach" doesn't work on configuration items.  You shouldn't need it though.  The idea being intermediate routing is that each stage only takes care of *one* realm.  It's not really good to say "here's a list of realms, pick one".


> > On the target system, the same happens, but at that point, the target system identifies that 'home.realm!anonymous at another.realm' is destined to itself and everything in the rest of the conversation stays the same.
> OK.  But I'm still not clear why there's a list of realms separated by semicolons.

Ok, assume I have three realms defined in proxy.conf: 'my.realm', 'another.realm', and 'yet.another'.

To make the comparison easier, I don't want to have my users extend the comparison from this (which only handles one realm, defined in 'rfc7542_suffix'):

if (("%{1}" == "${policy.rfc7542_suffix}") && ("%{3}" != "${policy.rfc7542_suffix}")) {

To this (apologies for the pseudo-code):

if ((("%{1}" == "my.realm") && ("%{3}" != "my.realm")) || \
    (("%{1}" == "another.realm") && ("%{3}" != "another.realm")) || \
    (("%{1}" == "yet.another") && ("%{3}" != "yet.another")) {

If I could construct a loop that iterates over my realms, then I could simply do the comparison, but you've given me an idea (i.e. defining a new 'realm' instance that uses the bang to route):

realm bang_realm {
	format = prefix
	delimiter = "!"

if (&request:User-Name =~ /([a-zA-Z0-9\.-]+)!([a-zA-Z0-9\.-]*)\@(.+)/) {
  #  Format: not_local_realm!... at local_realm: Rewrite User-Name for suffix
} else {

Does that (or something similar) make more sense? :-)

If so, I'll test this and see what we get. It still leaves the EAP identity and the outer User-Name decorated though. :-/

With Regards

Stefan Paetow
Consultant, Trust and Identity

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at
skype: stefan.paetow.janet

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

More information about the Freeradius-Users mailing list