Authentication fails when username contains specific characters.

Alan DeKok aland at
Fri Jan 4 19:55:02 CET 2019

On Jan 4, 2019, at 3:35 AM, Izumi <hatosaburepoppo at> wrote:
> Authentication fails when the username contains the next 23 characters.
> (like Andy1 and Burt1)
> 23 chars -> !#$%&()*+,;<=>?[]^`{|}~

  What's happening is that the server is protecting you from SQL injection attacks.

  See:  /mods-config/sql/main/mysql/queries.conf

  And the "safe_characters" configuration option.  You can list more characters there, but your users will then be able to "own" your SQL database.

> However, the authentication not fail when the password contains that 23
> characters. (like Eddy)
> What do I need to do to solve the problem of Andy1 and Burt1 ?

  Don't use special characters in user names.

> I read debug output and tried Andy2 and Burt2. (Enter equals sign and ASCII
> code in Hex (e.g. '=2B' for '+'))
> I found out that it will succeed in authentication, but is there any other
> solution ?
> Do I have to do this conversion each time I add a user ?
> I attached .bash_history and all files that may be useful.

  Don't do that.  We document the information we need.  You get told what information we need when you join the mailing list.

  Alan DeKok.

More information about the Freeradius-Users mailing list