Captive Portal and Radius, username in lowercase and uppercase validation

  • Hi

    Using a Captive Portal back to Windows Server 2008 NPS. Working perfectly
    Have "Enable Pass-through MAC automatic additions" enabled and that works, it will add to the Pass thru mac list XX:XX:XX:XX:XX:XX for user xxxxxx.

    THe issue is that I have  Disable concurrent logins enabled. As I only want users to have 1 device on network. But if enroll one device using the name joe, it will add that, but you can then add another one using the name Joe, and JOe and JOE. There seems to be no case sensitive validation on the username field in the portal

    Anyone come across this? Or a solution to it?


  • Hi,

    Yep, it possible.
    But, it isn't a settings somewhere, you have edit the source.

    Open this file : /usr/local/captiveportal/index.php
    (while loading, read this : )

    Find line 181, it should read this:

    		$auth_list = radius($user,$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);
    		$auth_list = radius($user,strtolower($paswd),$clientip,$clientmac,"USER LOGIN", $radiusctx);

    This will force all entered 'password' characters into lower case.
    In your authentication database, all passwords should be stored in lowercase.

    There are NO side effects, just keep in mind that when you update pfSense, your manual edits could be lost.

  • LAYER 8 Netgate

    Or this, maybe:

    $auth_list = radius(strtolower($user),$paswd,$clientip,$clientmac,"USER LOGIN", $radiusctx);

    You could also strtolower() the password, but that would just be to let people log in with capslock on.  If you do you need to make sure you also strtolower() the password before you save it/hash it/etc in whatever RADIUS is using as a backend.

    Back in the dialup days we used to have some logic that would lowercase the password and try again if the initial login failed and the entered password wasn't mixed case.  Kept the phone from ringing unnecessarily.  Today, that would just give the assholes two tries for every attempt.

Log in to reply