use filter_username inside of the tunnel, too

Because spaces and multiple @'s are a bad idea.

diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel
index 14df8ab13e6e003d5aed0d65955e6a968587736f..7d6a6e29b0b57f46113b33c562d662957a4a2cfe 100644 (file)
--- a/raddb/sites-available/inner-tunnel
+++ b/raddb/sites-available/inner-tunnel
@@ -46,6 +46,15 @@ listen {
 #  Make *sure* that 'preprocess' comes before any realm if you
 #  need to setup hints for the remote radius server
 authorize {
+       #
+       #  Take a User-Name, and perform some checks on it, for spaces and other
+       #  invalid characters.  If the User-Name appears invalid, reject the
+       #  request.
+       #
+       #  See policy.d/filter for the definition of the filter_username policy.
+       #
+       filter_username
+
        #
        #  Do checks on outer / inner User-Name, so that users
        #  can't spoof us by using incompatible identities