Problem: FreeRADIUS rewrites machine hostnames to lowercase and breaks LDAP lookups

Knowledge Base Community
, , ,
1

FreeRADIUS rewrites machine hostnames to lowercase and breaks LDAP lookups

Problem

When authenticating Windows machine accounts via 802.1X/EAP-TLS, FreeRADIUS rewrites the incoming User-Name to lowercase.
If LDAP entries rely on uppercase hostnames, the rewritten identifier does not match any group membership. As a result, authorization steps such as VLAN assignment may fail.

Example transformation:

NB07304$  →  nb07304$

The lowercase value cannot be found in LDAP if the hostname is stored in uppercase.

Symptoms

  • 802.1X machine authentication succeeds but authorization fails
  • Group lookups for VLAN assignment return no result
  • Debug output shows lowercase machine identifiers
  • LDAP contains the hostname only in uppercase

Environment

  • UCS with FreeRADIUS 3.x
  • Windows machine authentication (host/<hostname>)
  • LDAP environments where hostname casing is relevant
  • Default FreeRADIUS site configuration

Root Cause

In /etc/freeradius/3.0/sites-available/default machine account matching is implemented using tolower:

if ("%{tolower:%{request:User-Name}}" =~ /^host\/(.*)\.example.intranet/) {

The expression forces the User-Name to lowercase before extracting the hostname. The resulting rewritten value is later used for LDAP lookups.
In environments where hostname casing matters, the lowercase value no longer matches directory objects.

This behaviour has been reported as Bug 58914

Workaround

Replace the lowercase comparison with a case-insensitive regular expression and preserve the original captured value:

if ("%{request:User-Name}" =~ /(?i)^host\/(.*)\.example.intranet/) {
    update request {
        User-Name := "%{1}$"
    }
}

Explanation:

  • (?i) performs a case-insensitive match
  • %{1} returns the original hostname (casing preserved)
  • $ is appended for Windows machine accounts

Restart FreeRADIUS after applying the change:

systemctl restart freeradius.service

Result

LDAP lookups use the unmodified hostname. Case-sensitive group membership and VLAN policies work as expected.

Additional Notes

  • Behaviour originates from Windows machine account handling in FreeRADIUS
  • No changes are required in UCS or LDAP
  • The workaround is configuration-only and does not modify directory objects

Related Information

  • Bug 58914 (hostname casing during rewrite)
  • FreeRADIUS regex and rewrite documentation
1 Like
2

This topic was automatically closed after 24 hours. New replies are no longer allowed.