User name case insensitivity - revisited

Alan DeKok aland at
Sat Jun 11 22:22:03 UTC 2022

On Jun 11, 2022, at 2:21 PM, Luveh Keraph <1.41421 at> wrote:
> I thought I had grasped what is involved in making FreeRADIUS 3.0.* to
> process user names in a case-insensitive way, but I am not so sure now.

  That's a bit of an incorrect understanding.  The server is composed of a bunch of modules.  Each module has it's own configuration.  You should be able to configure a particular module to do lowercase checking.

> Here is what I have done:
> First, I added the following line in my /etc/raddb/mods-enabled/files:
>    key = "%{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}"


	key = "%{tolower:%{%{Stripped-Users-Name}:-%{User-Name}}}"

  This picks either Stripped-User-Name OR User-Name,  and then lowercases the result.

  The line you have above only lowercases User-Name, and leaves Stripped-User-Name along.

> I launched my FreeRADIUS server after ths.
> I have the following entry in my /etc/raddb/users file:
> ijk_user1 User-Password != "IJKpassword1"
> ijk_user1 Cleartext-Password := "IJKpassword1"

  Lowercase names there are goo.0

> With this, when I try to ssh as IJK_User1 (notice the mixed case) into a
> system that turns over authentication to my FreeRADIUS server, I get the
> following debugging information at this server:
> Sat Jun 11 11:02:25 2022 : Debug: (0) files: EXPAND
> %{%{Stripped-User-Name}:-%{tolower:%{User-Name}}}
> Sat Jun 11 11:02:25 2022 : Debug: (0) files:    --> ijk_user1
> Sat Jun 11 11:02:25 2022 : Debug: (0) files: users: Matched entry ijk_user1
> at line 447

  So it matches, that's good.
> Sat Jun 11 11:02:25 2022 : Debug: (0) Sent Access-Accept Id 64 from
> 23:1812 to length 0
> Which is fine: the user name gets converted from IJK_User1 to ijk_user1 and
> the authentication with password IJKpassword1 succeeds, as expected.

  That's good.

> I then changed  the relevant entry in my /etc/raddb/users file as follows:
> IJK_User1 User-Password != "IJKpassword1"
> IJK_User1 Cleartext-Password := "IJKpassword1"

   That won't work.

  The "key" configuration is lowercasing the User-Name from the packet.  That lowercased name is then used to compare with the names in the "users" file.  The comparison there is cases sensitive.

  So it won't work.

> If I understand things correctly, the key = ... line that I added to the
> files file does indeed recast the incoming user name to lowercase.


> However,
> the FreeRADIUS server still compares incoming user names against those in
> the users file in a case sensitive way.

  That's how it works.

>  This is fine, but not quite what I was looking for.

  The first example works.  Why worry about it?

> Is it possible to get FreeRADIUS to compare user names (and user
> names alone - not passwords)  in a real case-insensitive way against those
> in the /etc/raddb/users file?


  There's no configuration item, which says "do comparisons in a case insensitive way".

  Your first configuration is correct.  Use it.  Why would you put names into the "users" file in random uppercase / lowercase?

  Alan DeKok.

More information about the Freeradius-Users mailing list