User name case insensitivity - revisited

Matthew Newton mcn at
Sat Jun 11 22:19:22 UTC 2022

On 11/06/2022 19:21, Luveh Keraph wrote:
> I thought I had grasped what is involved in making FreeRADIUS 3.0.* to
> process user names in a case-insensitive way, but I am not so sure now.
> Here is what I have done:
> First, I added the following line in my /etc/raddb/mods-enabled/files:
>      key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"

i.e. "look up Stripped-User-Name in whatever case it is in, but if that 
doesn't exist convert the full User-Name to lowercase and look that up 

I doubt that's what you want - probably tolower both of them.

> I have the following entry in my /etc/raddb/users file:
> ijk_user1 User-Password != "IJKpassword1"
> ijk_user1 Cleartext-Password := "IJKpassword1"

Why the first line? That doesn't make any sense. Just the second line.

> With this, when I try to ssh as IJK_User1 (notice the mixed case) into a
> system that turns over authentication to my FreeRADIUS server, I get the
> following debugging information at this server:

Don't use any more than just -X. The extra -x's just make everything 
hard to read, for no benefit.

> Which is fine: the user name gets converted from IJK_User1 to ijk_user1 and
> the authentication with password IJKpassword1 succeeds, as expected.


> I then changed  the relevant entry in my /etc/raddb/users file as follows:
> IJK_User1 User-Password != "IJKpassword1"
> IJK_User1 Cleartext-Password := "IJKpassword1"

So you're looking up a lowercase username, compared against a username 
with uppercase characters in it. Doubt that will go well.

> Sat Jun 11 11:48:54 2022 : WARNING: (0) pap: No "known good" password found > for the user.  Not setting Auth-Type

Hmm, nope. It didn't.

> If I understand things correctly, the key = ... line that I added to the
> files file does indeed recast the incoming user name to lowercase. However,
> the FreeRADIUS server still compares incoming user names against those in
> the users file in a case sensitive way.  This is fine, but not quite what I
> was looking for.
> Is it possible to get FreeRADIUS to compare user names (and user
> names alone - not passwords)  in a real case-insensitive way against those
> in the /etc/raddb/users file?

You control the users file. Write the entries there in lower case, then 
the lowercase username will match.


More information about the Freeradius-Users mailing list