Freeradius-Users Digest, Vol 183, Issue 16
Luveh Keraph
1.41421 at gmail.com
Fri Jul 10 16:30:23 CEST 2020
To answer my own question:
In my etc/raddb/mods-available/files file I have the following (among other
things):
# The default key attribute to use for matches. The content
# of this attribute is used to match the "name" of the
# entry.
# key = "%{%{Stripped-User-Name}:-%{User-Name}}"
key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"
After uncommenting the first 'key' line, commenting out the second 'key'
line, and relaunching the server, the username received is treated in a
case-sensitive way.
Thanks for encouraging me to check out the debugging data.
On Fri, Jul 10, 2020 at 8:20 AM Luveh Keraph <1.41421 at gmail.com> wrote:
> Here is a copy of my users file, with all comments remove:
>
>
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>
> abcXYZ User-Password != "MyPassword1"
> abcXYZ Cleartext-Password := "MyPassword1"
> MyAttrTag = "One"
>
> abcxyz User-Password != "MyPassword2"
> abcxyz Cleartext-Password := "MyPassword2"
> MyAttrTag = "Two"
>
> And here's debugging information obtained at the FreeRADIUS server,
> launched with -sxXf when a client is requesting to be authenticated as
> abcXYZ over SSH, but using the password assigned to abcxyz in the users
> file. A line that reads EXPAND
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}} would seem to reveal that
> the received username is indeed converted to all lowercase by the
> FreeRADIUS server. I searched for references to the above in the FreeRADIUS
> files, and here is what I found:
>
> ../raddb/mods-available/couchbase: user_key =
> "raduser_%{md5:%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}}"
> ../raddb/mods-available/couchbase:# simul_vkey =
> "%{tolower:%{%{Stripped-User-Name}:-%{User-Name}}}"
> ../raddb/mods-available/files: key =
> "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"
>
> Is it just a matter of getting rid of the 'key' line in the files
> directory?
>
> Fri Jul 10 07:49:59 2020 : Debug: (39) Received Access-Request Id 57 from
> 192.168.0.67:44859 to 192.168.0.23:1812 length 92
> Fri Jul 10 07:49:59 2020 : Debug: (39) User-Name = "abcXYZ"
> Fri Jul 10 07:49:59 2020 : Debug: (39) User-Password = "MyPassword2"
> Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-IP-Address = 192.168.0.67
> Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Identifier = "sshd"
> Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Port = 22973
> Fri Jul 10 07:49:59 2020 : Debug: (39) NAS-Port-Type = Virtual
> Fri Jul 10 07:49:59 2020 : Debug: (39) Service-Type = Authenticate-Only
> Fri Jul 10 07:49:59 2020 : Debug: (39) Calling-Station-Id =
> "192.168.0.23"
> Fri Jul 10 07:49:59 2020 : Debug: (39) session-state: No State attribute
> Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section authorize from
> file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
> Fri Jul 10 07:49:59 2020 : Debug: (39) authorize {
> Fri Jul 10 07:49:59 2020 : Debug: (39) policy filter_username {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) -> TRUE
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ / /) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ / /) ->
> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@[^@]*@/
> ) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@[^@]*@/
> ) -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.\./ ) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.\./ )
> -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.$/) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /\.$/)
> -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@\./) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&User-Name =~ /@\./)
> -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # if (&User-Name) =
> notfound
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # policy filter_username =
> notfound
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> preprocess (rlm_preprocess)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from preprocess (rlm_preprocess)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [preprocess] = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> chap (rlm_chap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from chap (rlm_chap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [chap] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> mschap (rlm_mschap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from mschap (rlm_mschap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [mschap] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> digest (rlm_digest)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from digest (rlm_digest)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [digest] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> suffix(rlm_realm)
> Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: Checking for suffix after
> "@"
> Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No '@' in User-Name =
> "abcXYZ", looking up realm NULL
> Fri Jul 10 07:49:59 2020 : Debug: (39) suffix: No such realm "NULL"
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from suffix (rlm_realm)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [suffix] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> eap (rlm_eap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) eap: No EAP-Message, not doing EAP
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from eap (rlm_eap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [eap] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> files (rlm_files)
> Fri Jul 10 07:49:59 2020 : Debug:
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
> Fri Jul 10 07:49:59 2020 : Debug: Parsed xlat tree:
> Fri Jul 10 07:49:59 2020 : Debug: XLAT-IF {
> Fri Jul 10 07:49:59 2020 : Debug: attribute --> Stripped-User-Name
> Fri Jul 10 07:49:59 2020 : Debug: }
> Fri Jul 10 07:49:59 2020 : Debug: XLAT-ELSE {
> Fri Jul 10 07:49:59 2020 : Debug: xlat --> tolower
> Fri Jul 10 07:49:59 2020 : Debug: {
> Fri Jul 10 07:49:59 2020 : Debug: attribute --> User-Name
> Fri Jul 10 07:49:59 2020 : Debug: }
> Fri Jul 10 07:49:59 2020 : Debug: }
> Fri Jul 10 07:49:59 2020 : Debug: (39) files: EXPAND
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
> Fri Jul 10 07:49:59 2020 : Debug: (39) files: --> abcxyz
> Fri Jul 10 07:49:59 2020 : Debug: (39) files: users: Matched entry abcxyz
> at line 16
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from files (rlm_files)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [files] = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> expiration (rlm_expiration)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from expiration (rlm_expiration)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [expiration] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> logintime (rlm_logintime)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from logintime (rlm_logintime)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [logintime] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: calling
> pap (rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authorize]: returned
> from pap (rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [pap] = updated
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # authorize = updated
> Fri Jul 10 07:49:59 2020 : Debug: (39) Found Auth-Type = PAP
> Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing group from file
> /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
> Fri Jul 10 07:49:59 2020 : Debug: (39) Auth-Type PAP {
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authenticate]:
> calling pap(rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Login attempt with password
> "MyPassword2" (9)
> Fri Jul 10 07:49:59 2020 : Debug: (39) pap: Comparing with "known good"
> Cleartext-Password "MyPassword2" (9)
> Fri Jul 10 07:49:59 2020 : Debug: (39) pap: User authenticated successfully
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[authenticate]:
> returned from pap (rlm_pap)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [pap] = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # Auth-Type PAP = ok
> Fri Jul 10 07:49:59 2020 : Debug: (39) # Executing section post-auth from
> file /usr/local/freeradius-server-3.0.20/etc/raddb/sites-enabled/default
> Fri Jul 10 07:49:59 2020 : Debug: (39) post-auth {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (session-state:User-Name &&
> reply:User-Name && request:User-Name && (reply:User-Name ==
> request:User-Name)) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (session-state:User-Name &&
> reply:User-Name && request:User-Name && (reply:User-Name ==
> request:User-Name)) -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) update {
> Fri Jul 10 07:49:59 2020 : Debug: (39) No attributes updated for RHS
> &session-state:
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # update = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: calling
> exec (rlm_exec)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]: returned
> from exec (rlm_exec)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [exec] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) policy
> remove_reply_message_if_eap {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&reply:EAP-Message &&
> &reply:Reply-Message) {
> Fri Jul 10 07:49:59 2020 : Debug: (39) if (&reply:EAP-Message &&
> &reply:Reply-Message) -> FALSE
> Fri Jul 10 07:49:59 2020 : Debug: (39) else {
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]:
> calling noop (rlm_always)
> Fri Jul 10 07:49:59 2020 : Debug: (39) modsingle[post-auth]:
> returned from noop (rlm_always)
> Fri Jul 10 07:49:59 2020 : Debug: (39) [noop] = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # else = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # policy
> remove_reply_message_if_eap = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) } # post-auth = noop
> Fri Jul 10 07:49:59 2020 : Debug: (39) Sent Access-Accept Id 57 from
> 192.168.0.23:1812 to 192.168.123.67:44859 length 0
> Fri Jul 10 07:49:59 2020 : Debug: (39) MyAttrTag = "Two"
> Fri Jul 10 07:49:59 2020 : Debug: (39) Finished request
> Fri Jul 10 07:49:59 2020 : Debug: Waking up in 4.9 seconds.
> Fri Jul 10 07:50:04 2020 : Debug: (39) Cleaning up request packet ID 57
> with timestamp +150091
> Fri Jul 10 07:50:04 2020 : Info: Ready to process requests
>
> On Thu, Jul 9, 2020 at 12:19 PM <
> freeradius-users-request at lists.freeradius.org> wrote:
>
>>
>> On Jul 9, 2020, at 11:12 AM, Luveh Keraph <1.41421 at gmail.com> wrote:
>> >
>> > I have a FreeRADIUS 3.0.20 server with the following entries in
>> > /etc/raddb/users:
>> >
>> > abcXYZ User-Password != "MyPassword1"
>> > abcXYZ Cleartext-Password := "MyPassword1"
>> > MyAttrTag = "One"
>> >
>> > abcxyz User-Password != "MyPassword2"
>> > abcxyz Cleartext-Password := "MyPassword2"
>> > MyAttrTag = "Two"
>> >
>> > MyAttrTag is a VSA of my own, which both client and server are aware of.
>>
>> OK.
>>
>> > When I try to authenticate abcXYZ against this server (with radtest, or
>> by
>> > SSH through PAM) the password I have to supply is MyPassword2 -
>> MyPassword1
>> > will not work. When the authentication is successfully completed, I can
>> see
>> > that the value of MyAttrTag sent by the server is always "Two", which
>> is of
>> > course consistent with the above.
>> >
>> > In fact, I can try different camel-case versions of abcxyz, not
>> necessarily
>> > with matching entries in /etc/raddb/users, and in all cases my server
>> will
>> > just use the entry for abcxyz in that file. I.e. my FreeRADIUS server
>> > processes user names case-insensitively.
>>
>> The default configuration for the "users" file is to be case
>> sensitive. So if it is case INsensitive, you changed something in your
>> local configuration.
>>
>> > Can my FreeRADIUS server be configured so that it processes user names
>> (not
>> > passwords) in a case-sensitive way? In the example above, abcxyz and
>> abcXYZ
>> > would be two different users, with two different passwords. I have
>> seen a
>> > few suggestions on the net, but they seem to be constrained to version
>> 2.*
>> > servers.
>>
>> http://wiki.freeradius.org/list-help
>>
>> Post the debug output. We say this EVERYWHERE in the documentation,
>> and pretty much daily on the list.
>>
>> Alan DeKok.
>>
>>
>>
>>
More information about the Freeradius-Users
mailing list