Phil Mayers <p.may...@imperial.ac.uk> wrote:
>
>>Unfortunately, when you set nostrip in the config, it doesn't add a
>>Stripped-User-Name attribute to the request, but when you unset it,
>>rlm_realms adds a Stripped-User-Name attribute and also updates the
>>User-Name attribute to the same value.
>
> I am 90% sure that's not what rlm_realm does. We use unlang to process
> realms now, but I am certain we used it with nostrip and it left the
> original User-Name intact and populated Stripped-User-Name.
>
You are right, we use rlm_realm and it leaves User-Name unadulterated.
This sounds like maybe the *inner* auth User-Name is realmless and
making it's way out into outer.reply. When you use 'User-Name' in
post-auth{} you will get reply:User-Name rather than request:User-Name
if I remember correctly.
The fix is to *reject* inner-authentications that are realm-less.
Cheers
--
Alexander Clouter
.sigmonster says: You are the only person to ever get this message.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
