Standard & Realm Authentication

Alan DeKok aland at
Tue Feb 2 15:38:19 CET 2021

On Feb 1, 2021, at 2:42 PM, Richard J Palmer <richard at> wrote:
> We have been using FreeRadius for quite a long time to authenticate PPPoE and L2TP sessions and hotspots. So far everything works.

  That's good to hear. :)

> What I am trying to achieve in FreeRadius is
> 1) If there's an exact username (as now) continue as now
> 2) IF there's not a match either run a second SQL which will find the realm - and return accept. And then pass back the necessary attributes back to allow the session to forward.

  I'd break that down into 3 steps.  The question is how do you "find the realm" ?

> Pretty happy to do most of the work here but some pointers would be perfect.
> I could I suppose do this by replacing the SQL query with a stored procedure - but open to any better ideas?

  Run the SQL module as-is, ensuring that the key is User-Name:

	if (notfound) {
		... extra magic goes here ...

  You'll need to do a few things after this.  One is to figure out how to turn the User-Name into a realm.  Ideally you put this into some kind of regex / SQL table, whatever.  How this is done depends on you.  And with minimal information, we can't really recommend anything.  Put the realm name into a My-Realm attribute (Realm is already used for other things).

  Define My-Realm in raddb/dictionary:

ATTRIBUTE My-Realm 3000 string

  The next step is to edit the SQL queries to look up realm *or* User-Name, e.g. edit


	sql_user_name = "%{%{My-Realm}:-%{User-Name}}" 

    Then, you can insert entries into the SQL tables, keyed by User-Name *or* realm.  then update the "extra magic here" from above:

	if (notfound) {
		??? somehow get My-Realm from User-Name

  And ensure that each of the My-Realm entries has the correct reply attributes.

  Alan DeKok.

More information about the Freeradius-Users mailing list