Freeradius-Users Digest, Vol 183, Issue 16

Luveh Keraph 1.41421 at gmail.com
Fri Jul 10 16:30:23 CEST 2020


To answer my own question:

In my etc/raddb/mods-available/files file I have the following (among other
things):

        # The default key attribute to use for matches.  The content
        # of this attribute is used to match the "name" of the
        # entry.
        # key = "%{%{Stripped-User-Name}:-%{User-Name}}"
        key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"

After uncommenting the first 'key' line, commenting out the second 'key'
line, and relaunching the server, the username received is treated in a
case-sensitive way.

Thanks for encouraging me to check out the debugging data.

On Fri, Jul 10, 2020 at 8:20 AM Luveh Keraph <1.41421 at gmail.com> wrote:

> Here is a copy of my users file, with all comments remove:
>
>
> DEFAULT Framed-Protocol == PPP
>   Framed-Protocol = PPP,
>   Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "CSLIP"
>   Framed-Protocol = SLIP,
>   Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "SLIP"
>   Framed-Protocol = SLIP
>
> abcXYZ User-Password != "MyPassword1"
> abcXYZ Cleartext-Password := "MyPassword1"
>   MyAttrTag = "One"
>
> abcxyz User-Password != "MyPassword2"
> abcxyz Cleartext-Password := "MyPassword2"
>   MyAttrTag = "Two"
>
> And here's debugging information obtained at the FreeRADIUS server,
> launched with -sxXf when a client is requesting to be authenticated as
> abcXYZ over SSH, but using the password assigned to abcxyz in the users
> file. A line that reads  EXPAND
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} would seem to reveal that
> the received username is indeed converted to all lowercase by the
> FreeRADIUS server. I searched for references to the above in the FreeRADIUS
> files, and here is what I found:
>
> ../raddb/mods-available/couchbase: user_key =
> "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
> ../raddb/mods-available/couchbase:# simul_vkey =
> "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}"
> ../raddb/mods-available/files: key =
> "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"
>
> Is it just a matter of getting rid of the 'key' line in the files
> directory?
>
> Fri Jul 10 07:49:59 2020 : Debug: (39) Received Access-Request Id 57 from
> 192.168.0.67:44859 to 192.168.0.23:1812 length 92
> Fri Jul 10 07:49:59 2020 : Debug: (39)   User-Name = "abcXYZ"
> Fri Jul 10 07:49:59 2020 : Debug: (39)   User-Password = "MyPassword2"
> Fri Jul 10 07:49:59 2020 : Debug: (39)   NAS-IP-Address = 192.168.0.67
> Fri Jul 10 07:49:59 2020 : Debug: (39)   NAS-Identifier = "sshd"
> Fri Jul 10 07:49:59 2020 : Debug: (39)   NAS-Port = 22973
> Fri Jul 10 07:49:59 2020 : Debug: (39)   NAS-Port-Type = Virtual
> Fri Jul 10 07:49:59 2020 : Debug: (39)   Service-Type = Authenticate-Only
> Fri Jul 10 07:49:59 2020 : Debug: (39)   Calling-Station-Id =
> "192.168.0.23"
> Fri Jul 10 07:49:59 2020 : Debug: (39) session-state: No State attribute
> Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section authorize from
> file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
> Fri Jul 10 07:49:59 2020 : Debug: (39)   authorize {
> Fri Jul 10 07:49:59 2020 : Debug: (39)     policy filter_username {
> Fri Jul 10 07:49:59 2020 : Debug: (39)       if (&User-Name) {
> Fri Jul 10 07:49:59 2020 : Debug: (39)       if (&User-Name)  -> TRUE
> Fri Jul 10 07:49:59 2020 : Debug: (39)       if (&User-Name)  {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ / /) {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ / /)  ->
> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /@[^@]*@/
> ) {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /@[^@]*@/
> )  -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /\.\./ ) {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /\.\./ )
>  -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/))  {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /\.$/)  {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /\.$/)
> -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /@\./)  {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         if (&User-Name =~ /@\./)
> -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)       } # if (&User-Name)  =
> notfound
> Fri Jul 10 07:49:59 2020 : Debug: (39)     } # policy filter_username =
> notfound
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> preprocess (rlm_preprocess)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from preprocess (rlm_preprocess)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [preprocess] = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> chap (rlm_chap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from chap (rlm_chap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [chap] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> mschap (rlm_mschap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from mschap (rlm_mschap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [mschap] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> digest (rlm_digest)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from digest (rlm_digest)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [digest] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> suffix(rlm_realm)
> Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: Checking for suffix after
> "@"
> Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No '@' in User-Name =
> "abcXYZ", looking up realm NULL
> Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No such realm "NULL"
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from suffix (rlm_realm)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [suffix] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> eap (rlm_eap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) eap: No EAP-Message, not doing EAP
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from eap (rlm_eap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [eap] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> files (rlm_files)
> Fri Jul 10 07:49:59 2020 : Debug:
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
> Fri Jul 10 07:49:59 2020 : Debug: Parsed xlat tree:
> Fri Jul 10 07:49:59 2020 : Debug: XLAT-IF {
> Fri Jul 10 07:49:59 2020 : Debug:   attribute --> Stripped-User-Name
> Fri Jul 10 07:49:59 2020 : Debug: }
> Fri Jul 10 07:49:59 2020 : Debug: XLAT-ELSE {
> Fri Jul 10 07:49:59 2020 : Debug:   xlat --> tolower
> Fri Jul 10 07:49:59 2020 : Debug:   {
> Fri Jul 10 07:49:59 2020 : Debug:     attribute --> User-Name
> Fri Jul 10 07:49:59 2020 : Debug:   }
> Fri Jul 10 07:49:59 2020 : Debug: }
> Fri Jul 10 07:49:59 2020 : Debug: (39) files: EXPAND
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
> Fri Jul 10 07:49:59 2020 : Debug: (39) files:    --> abcxyz
> Fri Jul 10 07:49:59 2020 : Debug: (39) files: users: Matched entry abcxyz
> at line 16
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from files (rlm_files)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [files] = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> expiration (rlm_expiration)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from expiration (rlm_expiration)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [expiration] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> logintime (rlm_logintime)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from logintime (rlm_logintime)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [logintime] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: calling
> pap (rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authorize]: returned
> from pap (rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [pap] = updated
> Fri Jul 10 07:49:59 2020 : Debug: (39)   } # authorize = updated
> Fri Jul 10 07:49:59 2020 : Debug: (39) Found Auth-Type = PAP
> Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing group from file
> /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
> Fri Jul 10 07:49:59 2020 : Debug: (39)   Auth-Type PAP {
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authenticate]:
> calling pap(rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Login attempt with password
> "MyPassword2" (9)
> Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Comparing with "known good"
> Cleartext-Password "MyPassword2" (9)
> Fri Jul 10 07:49:59 2020 : Debug: (39) pap: User authenticated successfully
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[authenticate]:
> returned from pap (rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [pap] = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39)   } # Auth-Type PAP = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section post-auth from
> file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
> Fri Jul 10 07:49:59 2020 : Debug: (39)   post-auth {
> Fri Jul 10 07:49:59 2020 : Debug: (39)     if (session-state:User-Name &&
> reply:User-Name && request:User-Name && (reply:User-Name ==
> request:User-Name)) {
> Fri Jul 10 07:49:59 2020 : Debug: (39)     if (session-state:User-Name &&
> reply:User-Name && request:User-Name && (reply:User-Name ==
> request:User-Name))  -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)     update {
> Fri Jul 10 07:49:59 2020 : Debug: (39)       No attributes updated for RHS
> &session-state:
> Fri Jul 10 07:49:59 2020 : Debug: (39)     } # update = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[post-auth]: calling
> exec (rlm_exec)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     modsingle[post-auth]: returned
> from exec (rlm_exec)
> Fri Jul 10 07:49:59 2020 : Debug: (39)     [exec] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     policy
> remove_reply_message_if_eap {
> Fri Jul 10 07:49:59 2020 : Debug: (39)       if (&reply:EAP-Message &&
> &reply:Reply-Message) {
> Fri Jul 10 07:49:59 2020 : Debug: (39)       if (&reply:EAP-Message &&
> &reply:Reply-Message)  -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39)       else {
> Fri Jul 10 07:49:59 2020 : Debug: (39)         modsingle[post-auth]:
> calling noop (rlm_always)
> Fri Jul 10 07:49:59 2020 : Debug: (39)         modsingle[post-auth]:
> returned from noop (rlm_always)
> Fri Jul 10 07:49:59 2020 : Debug: (39)         [noop] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)       } # else = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)     } # policy
> remove_reply_message_if_eap = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39)   } # post-auth = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) Sent Access-Accept Id 57 from
> 192.168.0.23:1812 to 192.168.123.67:44859 length 0
> Fri Jul 10 07:49:59 2020 : Debug: (39)   MyAttrTag = "Two"
> Fri Jul 10 07:49:59 2020 : Debug: (39) Finished request
> Fri Jul 10 07:49:59 2020 : Debug: Waking up in 4.9 seconds.
> Fri Jul 10 07:50:04 2020 : Debug: (39) Cleaning up request packet ID 57
> with timestamp +150091
> Fri Jul 10 07:50:04 2020 : Info: Ready to process requests
>
> On Thu, Jul 9, 2020 at 12:19 PM <
> freeradius-users-request at lists.freeradius.org> wrote:
>
>>
>> On Jul 9, 2020, at 11:12 AM, Luveh Keraph <1.41421 at gmail.com> wrote:
>> >
>> > I have a FreeRADIUS 3.0.20 server with the following entries in
>> > /etc/raddb/users:
>> >
>> > abcXYZ User-Password != "MyPassword1"
>> > abcXYZ Cleartext-Password := "MyPassword1"
>> >        MyAttrTag = "One"
>> >
>> > abcxyz User-Password != "MyPassword2"
>> > abcxyz Cleartext-Password := "MyPassword2"
>> >        MyAttrTag = "Two"
>> >
>> > MyAttrTag is a VSA of my own, which both client and server are aware of.
>>
>>   OK.
>>
>> > When I try to authenticate abcXYZ against this server (with radtest, or
>> by
>> > SSH through PAM) the password I have to supply is MyPassword2 -
>> MyPassword1
>> > will not work. When the authentication is successfully completed, I can
>> see
>> > that the value of MyAttrTag sent by the server is always "Two", which
>> is of
>> > course consistent with the above.
>> >
>> > In fact, I can try different camel-case versions of abcxyz, not
>> necessarily
>> > with matching entries in /etc/raddb/users, and in all cases my server
>> will
>> > just use the entry for abcxyz in that file. I.e. my FreeRADIUS server
>> > processes user names case-insensitively.
>>
>>   The default configuration for the "users" file is to be case
>> sensitive.  So if it is case INsensitive, you changed something in your
>> local configuration.
>>
>> > Can my FreeRADIUS server be configured so that it processes user names
>> (not
>> > passwords) in a case-sensitive way? In the example above, abcxyz and
>> abcXYZ
>> > would be two different users, with two different passwords.  I have
>> seen a
>> > few suggestions on the net, but they seem to be constrained to version
>> 2.*
>> > servers.
>>
>>   http://wiki.freeradius.org/list-help
>>
>>   Post the debug output.  We say this EVERYWHERE in the documentation,
>> and pretty much daily on the list.
>>
>>   Alan DeKok.
>>
>>
>>
>>


More information about the Freeradius-Users mailing list