To answer my own question: In my etc/raddb/mods-available/files file I have the following (among other things): # The default key attribute to use for matches. The content # of this attribute is used to match the "name" of the # entry. # key = "%{%{Stripped-User-Name}:-%{User-Name}}" key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}" After uncommenting the first 'key' line, commenting out the second 'key' line, and relaunching the server, the username received is treated in a case-sensitive way. Thanks for encouraging me to check out the debugging data. On Fri, Jul 10, 2020 at 8:20 AM Luveh Keraph <1.41421@gmail.com> wrote:
Here is a copy of my users file, with all comments remove:
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
abcXYZ User-Password != "MyPassword1" abcXYZ Cleartext-Password := "MyPassword1" MyAttrTag = "One"
abcxyz User-Password != "MyPassword2" abcxyz Cleartext-Password := "MyPassword2" MyAttrTag = "Two"
And here's debugging information obtained at the FreeRADIUS server, launched with -sxXf when a client is requesting to be authenticated as abcXYZ over SSH, but using the password assigned to abcxyz in the users file. A line that reads EXPAND %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} would seem to reveal that the received username is indeed converted to all lowercase by the FreeRADIUS server. I searched for references to the above in the FreeRADIUS files, and here is what I found:
../raddb/mods-available/couchbase: user_key = "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}" ../raddb/mods-available/couchbase:# simul_vkey = "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}" ../raddb/mods-available/files: key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"
Is it just a matter of getting rid of the 'key' line in the files directory?
Fri Jul 10 07:49:59 2020 : Debug: (39) Received Access-Request Id 57 from 192.168.0.67:44859 to 192.168.0.23:1812 length 92 Fri Jul 10 07:49:59 2020 : Debug: (39) User-Name = "abcXYZ" Fri Jul 10 07:49:59 2020 : Debug: (39) User-Password = "MyPassword2" Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-IP-Address = 192.168.0.67 Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Identifier = "sshd" Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Port = 22973 Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Port-Type = Virtual Fri Jul 10 07:49:59 2020 : Debug: (39) Service-Type = Authenticate-Only Fri Jul 10 07:49:59 2020 : Debug: (39) Calling-Station-Id = "192.168.0.23" Fri Jul 10 07:49:59 2020 : Debug: (39) session-state: No State attribute Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section authorize from file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default Fri Jul 10 07:49:59 2020 : Debug: (39) authorize { Fri Jul 10 07:49:59 2020 : Debug: (39) policy filter_username { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) -> TRUE Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ / /) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ / /) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@[^@]*@/ ) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@[^@]*@/ ) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.\./ ) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.\./ ) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { Fri Jul 10 07:49:59 2020 : Debug: (39) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.$/) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.$/) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@\./) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@\./) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) } # if (&User-Name) = notfound Fri Jul 10 07:49:59 2020 : Debug: (39) } # policy filter_username = notfound Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling preprocess (rlm_preprocess) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from preprocess (rlm_preprocess) Fri Jul 10 07:49:59 2020 : Debug: (39) [preprocess] = ok Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling chap (rlm_chap) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from chap (rlm_chap) Fri Jul 10 07:49:59 2020 : Debug: (39) [chap] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling mschap (rlm_mschap) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from mschap (rlm_mschap) Fri Jul 10 07:49:59 2020 : Debug: (39) [mschap] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling digest (rlm_digest) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from digest (rlm_digest) Fri Jul 10 07:49:59 2020 : Debug: (39) [digest] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling suffix(rlm_realm) Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: Checking for suffix after "@" Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No '@' in User-Name = "abcXYZ", looking up realm NULL Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No such realm "NULL" Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from suffix (rlm_realm) Fri Jul 10 07:49:59 2020 : Debug: (39) [suffix] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling eap (rlm_eap) Fri Jul 10 07:49:59 2020 : Debug: (39) eap: No EAP-Message, not doing EAP Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from eap (rlm_eap) Fri Jul 10 07:49:59 2020 : Debug: (39) [eap] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling files (rlm_files) Fri Jul 10 07:49:59 2020 : Debug: %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} Fri Jul 10 07:49:59 2020 : Debug: Parsed xlat tree: Fri Jul 10 07:49:59 2020 : Debug: XLAT-IF { Fri Jul 10 07:49:59 2020 : Debug: attribute --> Stripped-User-Name Fri Jul 10 07:49:59 2020 : Debug: } Fri Jul 10 07:49:59 2020 : Debug: XLAT-ELSE { Fri Jul 10 07:49:59 2020 : Debug: xlat --> tolower Fri Jul 10 07:49:59 2020 : Debug: { Fri Jul 10 07:49:59 2020 : Debug: attribute --> User-Name Fri Jul 10 07:49:59 2020 : Debug: } Fri Jul 10 07:49:59 2020 : Debug: } Fri Jul 10 07:49:59 2020 : Debug: (39) files: EXPAND %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} Fri Jul 10 07:49:59 2020 : Debug: (39) files: --> abcxyz Fri Jul 10 07:49:59 2020 : Debug: (39) files: users: Matched entry abcxyz at line 16 Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from files (rlm_files) Fri Jul 10 07:49:59 2020 : Debug: (39) [files] = ok Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling expiration (rlm_expiration) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from expiration (rlm_expiration) Fri Jul 10 07:49:59 2020 : Debug: (39) [expiration] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling logintime (rlm_logintime) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from logintime (rlm_logintime) Fri Jul 10 07:49:59 2020 : Debug: (39) [logintime] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling pap (rlm_pap) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned from pap (rlm_pap) Fri Jul 10 07:49:59 2020 : Debug: (39) [pap] = updated Fri Jul 10 07:49:59 2020 : Debug: (39) } # authorize = updated Fri Jul 10 07:49:59 2020 : Debug: (39) Found Auth-Type = PAP Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing group from file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default Fri Jul 10 07:49:59 2020 : Debug: (39) Auth-Type PAP { Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authenticate]: calling pap(rlm_pap) Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Login attempt with password "MyPassword2" (9) Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Comparing with "known good" Cleartext-Password "MyPassword2" (9) Fri Jul 10 07:49:59 2020 : Debug: (39) pap: User authenticated successfully Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authenticate]: returned from pap (rlm_pap) Fri Jul 10 07:49:59 2020 : Debug: (39) [pap] = ok Fri Jul 10 07:49:59 2020 : Debug: (39) } # Auth-Type PAP = ok Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section post-auth from file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default Fri Jul 10 07:49:59 2020 : Debug: (39) post-auth { Fri Jul 10 07:49:59 2020 : Debug: (39) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) update { Fri Jul 10 07:49:59 2020 : Debug: (39) No attributes updated for RHS &session-state: Fri Jul 10 07:49:59 2020 : Debug: (39) } # update = noop Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: calling exec (rlm_exec) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: returned from exec (rlm_exec) Fri Jul 10 07:49:59 2020 : Debug: (39) [exec] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) policy remove_reply_message_if_eap { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&reply:EAP-Message && &reply:Reply-Message) { Fri Jul 10 07:49:59 2020 : Debug: (39) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Fri Jul 10 07:49:59 2020 : Debug: (39) else { Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: calling noop (rlm_always) Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: returned from noop (rlm_always) Fri Jul 10 07:49:59 2020 : Debug: (39) [noop] = noop Fri Jul 10 07:49:59 2020 : Debug: (39) } # else = noop Fri Jul 10 07:49:59 2020 : Debug: (39) } # policy remove_reply_message_if_eap = noop Fri Jul 10 07:49:59 2020 : Debug: (39) } # post-auth = noop Fri Jul 10 07:49:59 2020 : Debug: (39) Sent Access-Accept Id 57 from 192.168.0.23:1812 to 192.168.123.67:44859 length 0 Fri Jul 10 07:49:59 2020 : Debug: (39) MyAttrTag = "Two" Fri Jul 10 07:49:59 2020 : Debug: (39) Finished request Fri Jul 10 07:49:59 2020 : Debug: Waking up in 4.9 seconds. Fri Jul 10 07:50:04 2020 : Debug: (39) Cleaning up request packet ID 57 with timestamp +150091 Fri Jul 10 07:50:04 2020 : Info: Ready to process requests
On Thu, Jul 9, 2020 at 12:19 PM < freeradius-users-request@lists.freeradius.org> wrote:
On Jul 9, 2020, at 11:12 AM, Luveh Keraph <1.41421@gmail.com> wrote:
I have a FreeRADIUS 3.0.20 server with the following entries in /etc/raddb/users:
abcXYZ User-Password != "MyPassword1" abcXYZ Cleartext-Password := "MyPassword1" MyAttrTag = "One"
abcxyz User-Password != "MyPassword2" abcxyz Cleartext-Password := "MyPassword2" MyAttrTag = "Two"
MyAttrTag is a VSA of my own, which both client and server are aware of.
OK.
When I try to authenticate abcXYZ against this server (with radtest, or by SSH through PAM) the password I have to supply is MyPassword2 - MyPassword1 will not work. When the authentication is successfully completed, I can see that the value of MyAttrTag sent by the server is always "Two", which is of course consistent with the above.
In fact, I can try different camel-case versions of abcxyz, not necessarily with matching entries in /etc/raddb/users, and in all cases my server will just use the entry for abcxyz in that file. I.e. my FreeRADIUS server processes user names case-insensitively.
The default configuration for the "users" file is to be case sensitive. So if it is case INsensitive, you changed something in your local configuration.
Can my FreeRADIUS server be configured so that it processes user names (not passwords) in a case-sensitive way? In the example above, abcxyz and abcXYZ would be two different users, with two different passwords. I have seen a few suggestions on the net, but they seem to be constrained to version 2.* servers.
http://wiki.freeradius.org/list-help
Post the debug output. We say this EVERYWHERE in the documentation, and pretty much daily on the list.
Alan DeKok.