Thanks, Alan! I have got a feature request with Aerohive, our wireless vendor, to support treating the User-Name AVP as being authoritative which they are being pretty receptive and responsive to.
(I think RADIUS clients need to stop treating the outer identity as being authoritative if and where a User-Name is returned in the Access-Accept now that TLS based EAPs are the norm and we should have far more of an aggressive push to get vendors to implement this.) It would be great if, rather than manually having to create mappings and rewrite the identity, having successfully performed authentication FreeRADIUS were able to inherently spit out the identity in a normalised form knowing the username and the realm. (Perhaps I am not thinking things through here properly though for the general case though...) Regards, Nick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html