Nick Lowe wrote: > I am curious if it is possible today with FreeRADIUS to normalise the > identity that is returned in the User-Name AVP in an Access-Accept?
Yes. You can do pretty much anything you want. > RFC 2865 states in Section 5.1: > > [The User-Name AVP] MAY be sent in an Access-Accept packet, in which > case the client SHOULD use the name returned in the Access-Accept > packet in all Accounting-Request packets for this session. Well... not all NASes do that, of course. > So, a compliant NAS that is able to treat the User-Name AVP as being > authoritative would get to see the real, inner identity and in a > normalised form. > > Is this possible? Yes. I suggest writing down all possible *input* variants of the User-Name. Then, determine what you want as output. And figure out how to get from one to the other. i.e. "foo" -> "f...@example.com", "foo\EXAMPLE" --> "f...@example.com". Once you have all of those mappings, just write "unlang" policies to check one after the other, and do the re-writing. Most of the time, you can write policies down in plain English, and convert them to unlang. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html