I thought I had grasped what is involved in making FreeRADIUS 3.0.* to process user names in a case-insensitive way, but I am not so sure now. Here is what I have done: First, I added the following line in my /etc/raddb/mods-enabled/files: key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}" I launched my FreeRADIUS server after ths. I have the following entry in my /etc/raddb/users file: ijk_user1 User-Password != "IJKpassword1" ijk_user1 Cleartext-Password := "IJKpassword1" With this, when I try to ssh as IJK_User1 (notice the mixed case) into a system that turns over authentication to my FreeRADIUS server, I get the following debugging information at this server: Sat Jun 11 11:02:25 2022 : Debug: (0) files: EXPAND %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} Sat Jun 11 11:02:25 2022 : Debug: (0) files: --> ijk_user1 Sat Jun 11 11:02:25 2022 : Debug: (0) files: users: Matched entry ijk_user1 at line 447 Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) Sat Jun 11 11:02:25 2022 : Debug: (0) [files] = ok Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration) Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration) Sat Jun 11 11:02:25 2022 : Debug: (0) [expiration] = noop Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime) Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime) Sat Jun 11 11:02:25 2022 : Debug: (0) [logintime] = noop Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap) Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap) Sat Jun 11 11:02:25 2022 : Debug: (0) [pap] = updated Sat Jun 11 11:02:25 2022 : Debug: (0) } # authorize = updated Sat Jun 11 11:02:25 2022 : Debug: (0) Found Auth-Type = PAP Sat Jun 11 11:02:25 2022 : Debug: (0) # Executing group from file /etc/raddb/sites-enabled/default Sat Jun 11 11:02:25 2022 : Debug: (0) Auth-Type PAP { Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authenticate]: calling pap (rlm_pap) Sat Jun 11 11:02:25 2022 : Debug: (0) pap: Login attempt with password "IJKpassword1" (12) Sat Jun 11 11:02:25 2022 : Debug: (0) pap: Comparing with "known good" Cleartext-Password "IJKpassword1" (12) Sat Jun 11 11:02:25 2022 : Debug: (0) pap: User authenticated successfully Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[authenticate]: returned from pap (rlm_pap) Sat Jun 11 11:02:25 2022 : Debug: (0) [pap] = ok Sat Jun 11 11:02:25 2022 : Debug: (0) } # Auth-Type PAP = ok Sat Jun 11 11:02:25 2022 : Debug: (0) # Executing section post-auth from file /etc/raddb/sites-enabled/default Sat Jun 11 11:02:25 2022 : Debug: (0) post-auth { Sat Jun 11 11:02:25 2022 : Debug: (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) { Sat Jun 11 11:02:25 2022 : Debug: (0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE Sat Jun 11 11:02:25 2022 : Debug: (0) update { Sat Jun 11 11:02:25 2022 : Debug: (0) No attributes updated for RHS &session-state: Sat Jun 11 11:02:25 2022 : Debug: (0) } # update = noop Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[post-auth]: calling exec (rlm_exec) Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[post-auth]: returned from exec (rlm_exec) Sat Jun 11 11:02:25 2022 : Debug: (0) [exec] = noop Sat Jun 11 11:02:25 2022 : Debug: (0) policy remove_reply_message_if_eap { Sat Jun 11 11:02:25 2022 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) { Sat Jun 11 11:02:25 2022 : Debug: (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE Sat Jun 11 11:02:25 2022 : Debug: (0) else { Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[post-auth]: calling noop (rlm_always) Sat Jun 11 11:02:25 2022 : Debug: (0) modsingle[post-auth]: returned from noop (rlm_always) Sat Jun 11 11:02:25 2022 : Debug: (0) [noop] = noop Sat Jun 11 11:02:25 2022 : Debug: (0) } # else = noop Sat Jun 11 11:02:25 2022 : Debug: (0) } # policy remove_reply_message_if_eap = noop Sat Jun 11 11:02:25 2022 : Debug: (0) } # post-auth = noop Sat Jun 11 11:02:25 2022 : Debug: (0) Sent Access-Accept Id 64 from 192.168.0.55. 23:1812 to 192.168.0.66:60600 length 0 Which is fine: the user name gets converted from IJK_User1 to ijk_user1 and the authentication with password IJKpassword1 succeeds, as expected. I then changed the relevant entry in my /etc/raddb/users file as follows: IJK_User1 User-Password != "IJKpassword1" IJK_User1 Cleartext-Password := "IJKpassword1" After restarting the FreeRADIUS server I attempted the same log in as before. This is what I got in my traces: Sat Jun 11 11:48:54 2022 : Debug: (0) files: EXPAND %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} Sat Jun 11 11:48:54 2022 : Debug: (0) files: --> ijk_user1 Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: returned from files (rlm_files) Sat Jun 11 11:48:54 2022 : Debug: (0) [files] = noop Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: calling expiration (rlm_expiration) Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: returned from expiration (rlm_expiration) Sat Jun 11 11:48:54 2022 : Debug: (0) [expiration] = noop Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: calling logintime (rlm_logintime) Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: returned from logintime (rlm_logintime) Sat Jun 11 11:48:54 2022 : Debug: (0) [logintime] = noop Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: calling pap (rlm_pap) Sat Jun 11 11:48:54 2022 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type Sat Jun 11 11:48:54 2022 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available Sat Jun 11 11:48:54 2022 : Debug: (0) modsingle[authorize]: returned from pap (rlm_pap) Sat Jun 11 11:48:54 2022 : Debug: (0) [pap] = noop Sat Jun 11 11:48:54 2022 : Debug: (0) } # authorize = ok Sat Jun 11 11:48:54 2022 : ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject Sat Jun 11 11:48:54 2022 : Debug: (0) Failed to authenticate the user Sat Jun 11 11:48:54 2022 : Debug: (0) Using Post-Auth-Type Reject If I understand things correctly, the key = ... line that I added to the files file does indeed recast the incoming user name to lowercase. However, the FreeRADIUS server still compares incoming user names against those in the users file in a case sensitive way. This is fine, but not quite what I was looking for. Is it possible to get FreeRADIUS to compare user names (and user names alone - not passwords) in a real case-insensitive way against those in the /etc/raddb/users file?