Radius user name case sensitive sensitivity

arriflex

I cannot find someplace in the FreeRADIUS interface to turn off case sensitive usernames. Currently I am using radius for the pfSense captive portal on to authenticate indefinitely apartment tenants in a a building networked with UniFi AP's. Everything is working basically as expected but the users themselves often try various capitalization schemes with their usernames when authenticating through the CP.

I think I found a variable "case_sensitive = yes/no" that can be modified in the radiusd.conf file. My concern is that if I modify that file (I assume I can figure out how to do it through the shell) will it remain intact through GUI modifications subsequently? Does it even work if set to "no"?

arri

pfSense on Alix:
2.0.3-PRERELEASE (i386) built on Wed Feb 13 12:43:57 EST 2013
FreeBSD 8.1-RELEASE-p13

FreeRadius2 version: 2.1.12_1 pkg v1.6.6_4

Nachtfalke

@arriflex:

I cannot find someplace in the FreeRADIUS interface to turn off case sensitive usernames. Currently I am using radius for the pfSense captive portal on 2.0.3-PRERELEASE (i386) built on Wed Feb 13 12:43:57 EST 2013 FreeBSD 8.1-RELEASE-p13 to authenticate indefinitely apartment tenants in a a building networked with UniFi AP's. Everything is working basically as expected but the users themselves often try various capitalization schemes with their usernames when authenticating through the CP.

I think I found a variable "case_sensitive = yes/no" that can be modified in the radiusd.conf file. My concern is that if I modify that file (I assume I can figure out how to do it through the shell) will it remain intact through GUI modifications subsequently? Does it even work if set to "no"?

arri

The problem will be that the option "lower_user = yes" is deprecated in freeradius 2.x It was only valid in 1.x
I was searching for such a solution some months ago but I could not remember any good solution. If you find one please let me know.

arriflex

Good to know, thank you. I'll report back if I figure something out for the radius configuration that is sustainable.

My big issue is that I found most touch based devices were auto-capitalizing the username from the CP so I gave tenants User## for their username. Unfortunately their laptops are not doing that and boy howdy does it cause a lot of confusion. There really aren't so many users that I can't just do it by hand, but it could become a management nightmare later.

While I'm at it, I need to figure out a decent security but easier to input password for them as the form 12345-67890 is not making it from their lease paperwork to their devices appropriately!

arri

Nachtfalke

a way to do that could be "unlage" - the radius scriptng language. Perhaps some code on the default server in the pre-auth section which transforms the letters.

This could be something which is "easy" to implement on code and GUI but would be only possible for all authentication processes and not for separate usernames. But I don't think this would be a big problem.

http://freeradius.org/radiusd/man/unlang.html
I think of the possibility to "update" an request and the "User-Name" and then do some regex and replace all capitalized letters with small letters.

Nachtfalke

There is some dialogue on freeradius mailing lists:
http://lists.freeradius.org/pipermail/freeradius-users/2013-April/066212.html

Alan Dekok is one of the developers of freeradius. He is an absolute expert in freeradius but - in my opinion - he is not very polite when posting on the list.

As far as I understand him you could add something like the following in "../raddb/policy.conf"


if (User-Password) {
	update request {
		User-Password := "%{tolower:%{User-Password}}"
	}
}

Perhaps you cann follow this conversation and test and if you found a solution post it here that we can implement this into GUI.