Re: "double" realm problem

2009-10-30 Thread mr typo 
solved it now another way:

   authorize {
auth_log
suffix
mschap
eap {
ok =  return
}
if ( ("%{User-Name}" !~ /@/) || ("%{User-Name}" =~ /@.*@/))
{
  update reply {
   Reply-Message := "FHSCommon: Wrong Username"
  }
  reject
}
}

maybe someone knows why the "failed to find module..." appears when using
policy.conf

kind regards
-euro

On Wed, Oct 28, 2009 at 9:31 AM, mr typo  wrote:

> when i put the "validate_username" direct after
> server eduroam {
> validate_username
> authorize {
>  .
>
> i do not get an error. but it doesnt work. i am just trying around, i know
> that the "validate_username" doesnt make sense when NOT in the authorize
> section.
>
> so anyone has an idea redgarding the "failed to find module..." problem?
>
> thanks
>
> -euro
>
> On Tue, Oct 27, 2009 at 2:33 PM, Alan Buxey wrote:
>
>> Hi,
>>
>> > /etc/raddb/sites-enabled/eduroam[9]: Failed to find module
>> > "validate_username".
>> > /etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section.
>>
>> hmm, interesting - this looks very much like a post i made here earlier
>> this month where 3rd-party virtual servers dont seem to pick up details
>> from
>> main modules and include files - my case was that Autz-Type wasnt known if
>> i called 'users' file in my virtual-server
>>
>> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-28 Thread mr typo 
when i put the "validate_username" direct after
server eduroam {
validate_username
authorize {
 .

i do not get an error. but it doesnt work. i am just trying around, i know
that the "validate_username" doesnt make sense when NOT in the authorize
section.

so anyone has an idea redgarding the "failed to find module..." problem?

thanks

-euro

On Tue, Oct 27, 2009 at 2:33 PM, Alan Buxey  wrote:

> Hi,
>
> > /etc/raddb/sites-enabled/eduroam[9]: Failed to find module
> > "validate_username".
> > /etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section.
>
> hmm, interesting - this looks very much like a post i made here earlier
> this month where 3rd-party virtual servers dont seem to pick up details
> from
> main modules and include files - my case was that Autz-Type wasnt known if
> i called 'users' file in my virtual-server
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-27 Thread Alan Buxey 
Hi,

> /etc/raddb/sites-enabled/eduroam[9]: Failed to find module
> "validate_username".
> /etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section.

hmm, interesting - this looks very much like a post i made here earlier
this month where 3rd-party virtual servers dont seem to pick up details from
main modules and include files - my case was that Autz-Type wasnt known if
i called 'users' file in my virtual-server

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-27 Thread mr typo 
hello alexander,


thanks alot for this piece of code. but now i have a problem with getting
this to work.
in radiusd.conf i have an

$INCLUDE policy.conf

and in my authorize section i got the following:

authorize {
auth_log
validate_username
suffix
eap {
ok =  return
}
}

upon restarting i get the following:

/etc/raddb/sites-enabled/eduroam[9]: Failed to find module
"validate_username".
/etc/raddb/sites-enabled/eduroam[2]: Errors parsing authorize section.

any hints?

-euro

On Tue, Oct 27, 2009 at 11:09 AM, Alexander Clouter wrote:

> mr typo  wrote:
> >
> > i was trying to reject those "double" realm.
> > but i cannot find the right syntax and/or where to put the lines.
> >
> > i was trying to put this lines in the user file:
> > DEFAULT User-Name =~ "/^...@company.com@.*/"
> >   Auth-Type := Reject
> >
> >
> > that did not work.
> > when putting:
> > if (User-Name ~= /^...@company.com@.*/) {
> >  reject
> > }
> > in the server configuration in authorize section, i get a strange error..
> >
> > i am quite new with configuring freeradius, it would be nice if someone
> > could give me some real hint how to and where
> > reject those double @ @
> >
> In addition to my blackholing I now have added to my policy.conf file:
> 
> # only needs to be close enough to catch unroutable guff
> validate_username {
>if (User-Name !~ /@/ \
>   || ( \
>User-Name !~ /@.*@/ \
>&& User-Name =~
> /^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
>   ) \
>) {
>ok
>}
>else {
>update reply {
>Reply-Message := "Invalid User-Name Syntax"
>}
>reject
>}
> }
> 
>
> Then in your authorize section you just place 'validate_username' and it
> looks after everything for you.
>
> What the above bumpf does is:
>  * permit realmless (usernames without an '@') through, these are
>rejected later by matching against the NULL realm (*important*)
>  * if there is an '@' in there then it
>   * reject's if there are two or more '@'s
>   * reject if the *realm* is not valid, for example the realm *must*
>be made up of at least two parts, and the end part must be at
>least two characters long
>
> Hope that helps
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: The best things in life are for a fee.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-27 Thread Alexander Clouter 
mr typo  wrote:
> 
> i was trying to reject those "double" realm.
> but i cannot find the right syntax and/or where to put the lines.
> 
> i was trying to put this lines in the user file:
> DEFAULT User-Name =~ "/^...@company.com@.*/"
>   Auth-Type := Reject
> 
> 
> that did not work.
> when putting:
> if (User-Name ~= /^...@company.com@.*/) {
>  reject
> }
> in the server configuration in authorize section, i get a strange error..
> 
> i am quite new with configuring freeradius, it would be nice if someone
> could give me some real hint how to and where
> reject those double @ @
> 
In addition to my blackholing I now have added to my policy.conf file:

# only needs to be close enough to catch unroutable guff
validate_username {
if (User-Name !~ /@/ \
   || ( \
User-Name !~ /@.*@/ \
&& User-Name =~ 
/^[[:graph:]]*@([-[:alnum:]]+\.)+[[:alpha:]]{2,}$/ \
   ) \
) {
ok
}
else {
update reply {
Reply-Message := "Invalid User-Name Syntax"
}
reject
}
}


Then in your authorize section you just place 'validate_username' and it 
looks after everything for you.

What the above bumpf does is:
 * permit realmless (usernames without an '@') through, these are 
rejected later by matching against the NULL realm (*important*)
 * if there is an '@' in there then it
   * reject's if there are two or more '@'s
   * reject if the *realm* is not valid, for example the realm *must* 
be made up of at least two parts, and the end part must be at 
least two characters long

Hope that helps

Cheers

-- 
Alexander Clouter
.sigmonster says: The best things in life are for a fee.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-27 Thread mr typo 
i was trying to reject those "double" realm.
but i cannot find the right syntax and/or where to put the lines.

i was trying to put this lines in the user file:
DEFAULT User-Name =~ "/^...@company.com@.*/"
   Auth-Type := Reject


that did not work.
when putting:
if (User-Name ~= /^...@company.com@.*/) {
  reject
}
in the server configuration in authorize section, i get a strange error..

i am quite new with configuring freeradius, it would be nice if someone
could give me some real hint how to and where
reject those double @ @

thanks in advance.

-euro


On Wed, Oct 7, 2009 at 5:36 PM, Alexander Clouter wrote:

> mr typo  wrote:
> >
> > i do have a problem with our freeradius configuration and i have no idea
> how
> > to solve it.
> >
> > we do have one realm configured domainname.com which works perfectly.
> every
> > user who wants to authenticate with a different realm is proxied to an
> > outside radius. server. the setup works fine.
> >
> > we do have some mobile devices who send something like:
> > usern...@company.com@wlan.mnc003.mc
> > usern...@company.com@Verisign...
> > .
> > .
> >
> > we send these requests to our proxy and the proxy sends it back to
> us,
> >
> > from my understanding i cant solve it with a regex in the proxy.conf,
> right?
> > since the "realm" is just the string after the last @?
> >
> > anyone has an idea how i can process such request in my company.comrealm?
> > inside the realm i strip everything out, so it should work then.
> >
> Use some unlang in 'authorize' *before* you call 'suffix' that looks
> like:
> 
> if (User-Name ~= /^(@company.com)@.*/) {
>User-Name := "%{1}"
> }
> 
>
> As a side note, I currently have in proxy.conf:
> 
> # blackhole routing
> realm myabc.com {
>virtual_server  = auth-reject
>
>nostrip
> }
> realm "~\\.3gppnetwork\\.org$" {
>virtual_server  = auth-reject
>
>nostrip
> }
> 
>
> ...and a virtual server:
> 
> server auth-reject {
>authorize {
>suffix
>
>switch "%{Realm}" {
>case "NULL" {
>update reply {
>Reply-Message := "No Realm"
>}
>}
>
># we should not get here
>case "DEFAULT" {
>update reply {
>Reply-Message := "ERROR"
>}
>}
>
># we *really* should not get here
>case "%{config:local.MY.realm}" {
>update reply {
>Reply-Message := "BIG ERROR"
>}
>}
>
>case {
>update reply {
>Reply-Message := "Realm Blackholed"
>}
>}
>}
>
>reject
>}
> }
> 
>
> I would recommend you reject straight away any double realmed users as
> you will only find yourself later on still having to deal with
> misconfigured kit; pain now means a *lot* less pain later down the road
> in my experience.
>
> Cheers
>
> --
> Alexander Clouter
> .sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread Alexander Clouter 
mr typo  wrote:
> 
> i do have a problem with our freeradius configuration and i have no idea how
> to solve it.
> 
> we do have one realm configured domainname.com which works perfectly. every
> user who wants to authenticate with a different realm is proxied to an
> outside radius. server. the setup works fine.
> 
> we do have some mobile devices who send something like:
> usern...@company.com@wlan.mnc003.mc
> usern...@company.com@Verisign...
> .
> .
> 
> we send these requests to our proxy and the proxy sends it back to us,
> 
> from my understanding i cant solve it with a regex in the proxy.conf, right?
> since the "realm" is just the string after the last @?
> 
> anyone has an idea how i can process such request in my company.com realm?
> inside the realm i strip everything out, so it should work then.
> 
Use some unlang in 'authorize' *before* you call 'suffix' that looks 
like:

if (User-Name ~= /^(@company.com)@.*/) {
User-Name := "%{1}"
}


As a side note, I currently have in proxy.conf:

# blackhole routing
realm myabc.com {
virtual_server  = auth-reject

nostrip
}
realm "~\\.3gppnetwork\\.org$" {
virtual_server  = auth-reject

nostrip
}


...and a virtual server:

server auth-reject {
authorize {
suffix

switch "%{Realm}" {
case "NULL" {
update reply {
Reply-Message := "No Realm"
}
}

# we should not get here
case "DEFAULT" {
update reply {
Reply-Message := "ERROR"
}
}

# we *really* should not get here
case "%{config:local.MY.realm}" {
update reply {
Reply-Message := "BIG ERROR"
}
}

case {  
update reply {
Reply-Message := "Realm Blackholed"
}
}
}

reject
}
}


I would recommend you reject straight away any double realmed users as 
you will only find yourself later on still having to deal with 
misconfigured kit; pain now means a *lot* less pain later down the road 
in my experience.

Cheers

-- 
Alexander Clouter
.sigmonster says: This Fortune Examined By INSPECTOR NO. 2-14

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread mr typo 
where would be the best place to deny those users?
we do not have alot of practice with freeradius, so
any help would be appreciated,


kind regards
-euroreg

On Wed, Oct 7, 2009 at 3:03 PM, mr typo  wrote:

> hey,
> yes we are talking about eduroam and  after reading your post, it seems
> like that it is the best
> to deny such users.
>
> thanks alot
>
> -euroreg
>
> On Wed, Oct 7, 2009 at 2:44 PM, Stefan Winter wrote:
>
>> Hi,
>>
>> > problem is, that we are a university, so they are "our" people.
>> > tousands of students and teachers. if we deny those users, our
>> > helpdesk will get more work.
>> > is there a way to remove the double entries or do i have to block those?
>>
>> Any chance we are talking about eduroam? In this case: doing something
>> locally to make it work for these users even with misconfigured devices
>> is *not* going to do any good, and you will have helpdesk trouble as
>> soon as your users roam.
>>
>> The rationale being straightforward: you "fix" your local realm
>> stripping, misconfigured clients are happy on your campus. Then they go
>> to other hotspots without your magic fixes, and roaming will break. At
>> some point they come back and whine, and you have to negotiate with the
>> remote side logs to figure their weird settings prevented them from
>> roaming. Then you still have to re-config the devices.
>>
>> Not to mention that it damages the eduroam brand, since these people
>> will believe "roaming doesn't work".
>>
>> Contrary to that, changing one setting once on those few(I guess - not
>> everyone on your campus uses Nokia cell phones, do they?) misconfigured
>> clients will fix the issue permanently and globally. I'm shepherding
>> about 1 end-users myself on an eduroam IdP setup, and a HOWTO for
>> Symbian which highlights neuralgic parts seems to work for me (at least
>> I don't drown in user requests, and still have time to read and write
>> freeradius-users :-) ).
>>
>> Greetings,
>>
>> Stefan Winter
>>
>> >
>> > -euroreg
>> >
>> > On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey > > > wrote:
>> >
>> > Hi,
>> >
>> > > we do have one realm configured domainname.com
>> >  which works perfectly. every
>> > > user who wants to authenticate with a different realm is proxied
>> > to an
>> > > outside radius. server. the setup works fine.
>> > >
>> > > we do have some mobile devices who send something like:
>> > > usern...@company.com
>> > @wlan.mnc003.mc > >
>> > > usern...@company.com @Verisign...
>> >
>> > as Stefan says - this looks suspiciously like Nokia Symbian clients.
>> > if the client hasnt been configured correctly it will send the CN
>> > of the certificate as the realm details...and other things - so
>> > you get
>> > that double realm issue... which might get to you via external
>> proxy..
>> > or might not.
>> >
>> > reject if you see more than one @ - or, if these are your people,
>> > find them and fix their client. (in case of Nokia, its ensure that
>> the
>> > realm is specified rather than left to default setting.
>> >
>> > alan
>> > -
>> > List info/subscribe/unsubscribe? See
>> > http://www.freeradius.org/list/users.html
>> >
>> >
>> > 
>> >
>> > -
>> > List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>> --
>> Stefan WINTER
>> Ingenieur de Recherche
>> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
>> la Recherche
>> 6, rue Richard Coudenhove-Kalergi
>> L-1359 Luxembourg
>>
>> Tel: +352 424409 1
>> Fax: +352 422473
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread mr typo 
hey,
yes we are talking about eduroam and  after reading your post, it seems like
that it is the best
to deny such users.

thanks alot

-euroreg

On Wed, Oct 7, 2009 at 2:44 PM, Stefan Winter wrote:

> Hi,
>
> > problem is, that we are a university, so they are "our" people.
> > tousands of students and teachers. if we deny those users, our
> > helpdesk will get more work.
> > is there a way to remove the double entries or do i have to block those?
>
> Any chance we are talking about eduroam? In this case: doing something
> locally to make it work for these users even with misconfigured devices
> is *not* going to do any good, and you will have helpdesk trouble as
> soon as your users roam.
>
> The rationale being straightforward: you "fix" your local realm
> stripping, misconfigured clients are happy on your campus. Then they go
> to other hotspots without your magic fixes, and roaming will break. At
> some point they come back and whine, and you have to negotiate with the
> remote side logs to figure their weird settings prevented them from
> roaming. Then you still have to re-config the devices.
>
> Not to mention that it damages the eduroam brand, since these people
> will believe "roaming doesn't work".
>
> Contrary to that, changing one setting once on those few(I guess - not
> everyone on your campus uses Nokia cell phones, do they?) misconfigured
> clients will fix the issue permanently and globally. I'm shepherding
> about 1 end-users myself on an eduroam IdP setup, and a HOWTO for
> Symbian which highlights neuralgic parts seems to work for me (at least
> I don't drown in user requests, and still have time to read and write
> freeradius-users :-) ).
>
> Greetings,
>
> Stefan Winter
>
> >
> > -euroreg
> >
> > On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey  > > wrote:
> >
> > Hi,
> >
> > > we do have one realm configured domainname.com
> >  which works perfectly. every
> > > user who wants to authenticate with a different realm is proxied
> > to an
> > > outside radius. server. the setup works fine.
> > >
> > > we do have some mobile devices who send something like:
> > > usern...@company.com
> > @wlan.mnc003.mc 
> > > usern...@company.com @Verisign...
> >
> > as Stefan says - this looks suspiciously like Nokia Symbian clients.
> > if the client hasnt been configured correctly it will send the CN
> > of the certificate as the realm details...and other things - so
> > you get
> > that double realm issue... which might get to you via external
> proxy..
> > or might not.
> >
> > reject if you see more than one @ - or, if these are your people,
> > find them and fix their client. (in case of Nokia, its ensure that
> the
> > realm is specified rather than left to default setting.
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> > 
> >
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> --
> Stefan WINTER
> Ingenieur de Recherche
> Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de
> la Recherche
> 6, rue Richard Coudenhove-Kalergi
> L-1359 Luxembourg
>
> Tel: +352 424409 1
> Fax: +352 422473
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread Stefan Winter 
Hi,

> problem is, that we are a university, so they are "our" people.
> tousands of students and teachers. if we deny those users, our
> helpdesk will get more work.
> is there a way to remove the double entries or do i have to block those?

Any chance we are talking about eduroam? In this case: doing something
locally to make it work for these users even with misconfigured devices
is *not* going to do any good, and you will have helpdesk trouble as
soon as your users roam.

The rationale being straightforward: you "fix" your local realm
stripping, misconfigured clients are happy on your campus. Then they go
to other hotspots without your magic fixes, and roaming will break. At
some point they come back and whine, and you have to negotiate with the
remote side logs to figure their weird settings prevented them from
roaming. Then you still have to re-config the devices.

Not to mention that it damages the eduroam brand, since these people
will believe "roaming doesn't work".

Contrary to that, changing one setting once on those few(I guess - not
everyone on your campus uses Nokia cell phones, do they?) misconfigured
clients will fix the issue permanently and globally. I'm shepherding
about 1 end-users myself on an eduroam IdP setup, and a HOWTO for
Symbian which highlights neuralgic parts seems to work for me (at least
I don't drown in user requests, and still have time to read and write
freeradius-users :-) ).

Greetings,

Stefan Winter

>
> -euroreg
>
> On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey  > wrote:
>
> Hi,
>
> > we do have one realm configured domainname.com
>  which works perfectly. every
> > user who wants to authenticate with a different realm is proxied
> to an
> > outside radius. server. the setup works fine.
> >
> > we do have some mobile devices who send something like:
> > usern...@company.com
> @wlan.mnc003.mc 
> > usern...@company.com @Verisign...
>
> as Stefan says - this looks suspiciously like Nokia Symbian clients.
> if the client hasnt been configured correctly it will send the CN
> of the certificate as the realm details...and other things - so
> you get
> that double realm issue... which might get to you via external proxy..
> or might not.
>
> reject if you see more than one @ - or, if these are your people,
> find them and fix their client. (in case of Nokia, its ensure that the
> realm is specified rather than left to default setting.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> 
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread mr typo 
problem is, that we are a university, so they are "our" people. tousands of
students and teachers. if we deny those users, our helpdesk will get more
work.
is there a way to remove the double entries or do i have to block those?

-euroreg

On Wed, Oct 7, 2009 at 1:50 PM, Alan Buxey  wrote:

> Hi,
>
> > we do have one realm configured domainname.com which works perfectly.
> every
> > user who wants to authenticate with a different realm is proxied to an
> > outside radius. server. the setup works fine.
> >
> > we do have some mobile devices who send something like:
> > usern...@company.com@wlan.mnc003.mc
> > usern...@company.com@Verisign...
>
> as Stefan says - this looks suspiciously like Nokia Symbian clients.
> if the client hasnt been configured correctly it will send the CN
> of the certificate as the realm details...and other things - so you get
> that double realm issue... which might get to you via external proxy..
> or might not.
>
> reject if you see more than one @ - or, if these are your people,
> find them and fix their client. (in case of Nokia, its ensure that the
> realm is specified rather than left to default setting.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread Alan Buxey 
Hi,

> we do have one realm configured domainname.com which works perfectly. every
> user who wants to authenticate with a different realm is proxied to an
> outside radius. server. the setup works fine.
> 
> we do have some mobile devices who send something like:
> usern...@company.com@wlan.mnc003.mc
> usern...@company.com@Verisign...

as Stefan says - this looks suspiciously like Nokia Symbian clients.
if the client hasnt been configured correctly it will send the CN
of the certificate as the realm details...and other things - so you get
that double realm issue... which might get to you via external proxy..
or might not.

reject if you see more than one @ - or, if these are your people,
find them and fix their client. (in case of Nokia, its ensure that the
realm is specified rather than left to default setting.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: "double" realm problem

2009-10-07 Thread Stefan Winter 
Hi,

> we do have one realm configured domainname.com 
> which works perfectly. every user who wants to authenticate with a
> different realm is proxied to an outside radius. server. the setup
> works fine. 
>
> we do have some mobile devices who send something like: 
> usern...@company.com @wlan.mnc003.mc
>  
> usern...@company.com @Verisign...

Ah. Nokia cell phones with Symbian by any chance? Recent firmwares
behave less rude, but of course you may not have control over these clients.

> we send these requests to our proxy and the proxy sends it back to us,
>
> from my understanding i cant solve it with a regex in the proxy.conf,
> right? since the "realm" is just the string after the last @?

A regex on the User-Name should do nicely. If it contains multiple @'s
Auth-Type := Reject.

> anyone has an idea how i can process such request in my company.com
>  realm? inside the realm i strip everything out,
> so it should work then. 

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la 
Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html