Phil Mayers <p.may...@imperial.ac.uk> wrote: > >>Unfortunately, when you set nostrip in the config, it doesn't add a >>Stripped-User-Name attribute to the request, but when you unset it, >>rlm_realms adds a Stripped-User-Name attribute and also updates the >>User-Name attribute to the same value. > > I am 90% sure that's not what rlm_realm does. We use unlang to process > realms now, but I am certain we used it with nostrip and it left the > original User-Name intact and populated Stripped-User-Name. > You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and making it's way out into outer.reply. When you use 'User-Name' in post-auth{} you will get reply:User-Name rather than request:User-Name if I remember correctly. The fix is to *reject* inner-authentications that are realm-less. Cheers -- Alexander Clouter .sigmonster says: You are the only person to ever get this message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html