Project

General

Profile

Feature #9704

Enable filter_username

Added by Andrew Webster 3 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
08/27/2019
Due date:
% Done:

0%

Estimated time:

Description

Filtering the username passed into freeRadius can be beneficial in the case where the captive portal is authenticating users against the radius authentication server.
Why, because mobile devices are prone to capitalizing the username in the input field, whereas laptops are not, creating confusion and an overall poor user experience.
Whilst it would make sense to tackle the issue in the captive portal authentication itself, the authentication routine is shared with a number of other functions in pfSense, consequently, using freeRadius as the authentication server makes more sense in this scenario.

By enabling the filter_username in the authorize section of /usr/local/etc/raddb/sites-enabled/default, further configuration can be carried out in filter_username function of /usr/local/etc/raddb/policy.d/filter.
Currently /usr/local/pkg/freeradius.inc hard-codes this as disabled when it writes out the /usr/local/etc/raddb/sites-enabled/default file.
This could either be a setting in Package / FreeRADIUS: Settings / Settings / Miscellaneous section where a checkbox could be provided to enable the feature to retain backward compatibility with previous installations.
Alternatively, it could just enable a configuration to force the username to lowercase.

A couple of other mods are required to fix filter_username, as the examples in filter are broken out of the box.

Also available in: Atom PDF