Enforce Case sensitive usernames in freeradius.

Solving Case Insensitivity Issues in Freeradius with MySQL

Introduction: When you install Freeradius with MySQL, you may encounter an issue where customers can log in regardless of the case sensitivity of their username. For example, “DFGT” and “DFGt” would both authorize successfully. This can be resolved by making a few changes to the Freeradius configuration files.

Problem: In a fresh installation of Freeradius with MySQL, the authorization check and reply queries are set to be case-insensitive. This means that the usernames are not stored in a case-sensitive manner, which can be a security issue for some applications.

radtest AL6RNs netpap localhost 3 testing123

 radtest AL6RNx netpap localhost 3 testing123
Sent Access-Request Id 68 from 0.0.0.0:51104 to 127.0.0.1:1819 length 76
	User-Name = “AL6RNx”
	User-Password = “AL6RNx”

Received Access-Accept Id 68 from 127.0.0.1:1819 to 0.0.0.0:0 length 68

radtest AL6RNx netpap localhost 3 testing123

Sent Access–Request Id 68 from 0.0.0.0:51104 to 127.0.0.1:1819 length 76

User–Name = “AL6RNx”

User–Password = “AL6RNx”

Received Access–Accept Id 68 from 127.0.0.1:1819 to 0.0.0.0:0 length 68

Which will authenticate similar to

 radtest AL6RNX netpap localhost 3 testing123
Sent Access-Request Id 68 from 0.0.0.0:51104 to 127.0.0.1:1819 length 76
	User-Name = “AL6RNX”
	User-Password = “AL6RNX”

Received Access-Accept Id 68 from 127.0.0.1:1819 to 0.0.0.0:0 length 68

radtest AL6RNX netpap localhost 3 testing123

Sent Access–Request Id 68 from 0.0.0.0:51104 to 127.0.0.1:1819 length 76

User–Name = “AL6RNX”

User–Password = “AL6RNX”

Received Access–Accept Id 68 from 127.0.0.1:1819 to 0.0.0.0:0 length 68

Solution:

To solve this.

Uncomment the code block below in the file

vim /etc/raddb/mods-config/sql/main/mysql/queries.conf

authorize_check_query = “\
	SELECT id, username, attribute, value, op \
	FROM ${authcheck_table} \
	WHERE username = BINARY ‘%{SQL-User-Name}’ \
	ORDER BY id”

authorize_reply_query = “\
	SELECT id, username, attribute, value, op \
	FROM ${authreply_table} \
	WHERE username = BINARY ‘%{SQL-User-Name}’ \
	ORDER BY id”

authorize_check_query = “\

SELECT id, username, attribute, value, op \

FROM ${authcheck_table} \

WHERE username = BINARY ‘%{SQL-User-Name}’ \

ORDER BY id”

authorize_reply_query = “\

SELECT id, username, attribute, value, op \

FROM ${authreply_table} \

WHERE username = BINARY ‘%{SQL-User-Name}’ \

ORDER BY id”

Comment back the following block of code

#authorize_check_query = “\
#	SELECT id, username, attribute, value, op \
#	FROM ${authcheck_table} \
#	WHERE username = ‘%{SQL-User-Name}’ \
#	ORDER BY id”

#authorize_reply_query = “\
#	SELECT id, username, attribute, value, op \
#	FROM ${authreply_table} \
#	WHERE username = ‘%{SQL-User-Name}’ \
#	ORDER BY id”

#authorize_check_query = “\

# SELECT id, username, attribute, value, op \

# FROM ${authcheck_table} \

# WHERE username = ‘%{SQL-User-Name}’ \

# ORDER BY id“

#authorize_reply_query = “\

# SELECT id, username, attribute, value, op \

# FROM ${authreply_table} \

# WHERE username = ‘%{SQL-User-Name}’ \

# ORDER BY id“

Enforce Case sensitive usernames in freeradius.

Comments

Leave a Reply Cancel reply