newbie question on using digest authentication with postgresql

Horton, Dave dhorton at pactolus.com
Wed Oct 19 20:02:59 CEST 2005 

I'm a newbie with freeradius (understand radius protocol though), and
I'm struggling with some basics of configuration re: digest
authentication and use of postgresql for subscriber database.  I haven't
found much documentation so far on the freeradius site about
authentication using sql (besides the basic install of the schema), and
I feel I'm probably missing something/somewhere, so please feel free to
point me towards docs if this is covered somewhere.

Anyways, my simple attempt at digest authentication is currently
failing.  Here is what I have done:

1.  Provisioned the following simple data in my postgresql radius
database (this is the area where I'm most in the dark, any pointers to
information on the purpose and use of each of these tables would be
useful):

radius=# select * from radreply ;
 id | username |  attribute   | op | value
----+----------+--------------+----+-------
  1 | dhorton  | Idle-Timeout | == | 60
(1 row)

radius=# select * from radcheck ;
 id | username | attribute | op | value
----+----------+-----------+----+-------
  1 | dhorton  | Password  | == | 0276
(1 row)

radius=# select * from usergroup ;
 id | username | groupname
----+----------+-----------
  2 | dhorton  | pactolus
(1 row)

2. Edited my radiusd.conf file to uncomment the 'digest' lines in the
'authorize' and 'authenticate' sections.

3. Send an access-request message that looks like this (here is debug
output from radiusd):

rad_recv: Access-Request packet from host 10.10.105.11:1812, id=1,
length=579
        User-Name = "dhorton"
        User-Password = "NULL"
        NAS-IP-Address = 10.10.105.11
        NAS-Port = 0
        Cisco-AVPair = "h323-incoming-conf-id=664A92F5 C5305B22 A8C5F339
06C5803D"
        h323-conf-id = "h323-conf-id=68F37347 92CF847A 3676C449
5361F60E"
        Cisco-NAS-Port = "0:0"
        Cisco-AVPair = "sip-hdr=From: Dave Horton
<sip:dhorton at voip.dogan.com>"
        Cisco-AVPair = "sip-hdr=Authorization: Digest
username="dhorton",realm="voip.dogan.com",nonce="3e320b5b5dbd4a37cb7168b
f607455b5",response="325d8976711bc76a7c1a25b53c8b0cf9",uri="sip:voip.dog
an.com""
        Acct-Status-Type = Start
        NAS-Port-Type = Virtual
        Digest-Response = "325d8976711bc76a7c1a25b53c8b0cf9"
        Digest-Attributes =
0x0110766f69702e646f67616e2e636f6d02223365333230623562356462643461333763
62373136386266363037343535623504147369703a766f69702e646f67616e2e636f6d03
0a52454749535445520a0964686f72746f6e
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/10.10.105.11/auth-detail-20051019'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%
d expands to
/usr/local/var/log/radius/radacct/10.10.105.11/auth-detail-20051019
  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_digest: Converting Digest-Attributes to something sane...
        Digest-Realm = "voip.dogan.com"
        Digest-Nonce = "3e320b5b5dbd4a37cb7168bf607455b5"
        Digest-URI = "sip:voip.dogan.com"
        Digest-Method = "REGISTER"
        Digest-User-Name = "dhorton"
rlm_digest: Adding Auth-Type = DIGEST
  modcall[authorize]: module "digest" returns ok for request 0
    rlm_realm: No '@' in User-Name = "dhorton", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
radius_xlat:  'dhorton'
rlm_sql (sql): sql_set_user escaped user --> 'dhorton'
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck
??WHERE Username = 'dhorton' ??ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radcheck ??WHERE Username = 'dhorton' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupcheck.id, radgroupcheck.GroupName,
??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM
radgroupcheck, usergroup ??WHERE usergroup.Username = 'dhorton' AND
usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY
radgroupcheck.id'
rlm_sql_postgresql: query: SELECT radgroupcheck.id,
radgroupcheck.GroupName, ??radgroupcheck.Attribute,
radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup
??WHERE usergroup.Username = 'dhorton' AND usergroup.GroupName =
radgroupcheck.GroupName ??ORDER BY radgroupcheck.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT id, UserName, Attribute, Value, Op ??FROM radreply
??WHERE Username = 'dhorton' ??ORDER BY id'
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op
??FROM radreply ??WHERE Username = 'dhorton' ??ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
radius_xlat:  'SELECT radgroupreply.id, radgroupreply.GroupName,
radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM
radgroupreply,usergroup ??WHERE usergroup.Username = 'dhorton' AND
usergroup.GroupName = radgroupreply.GroupName ??ORDER BY
radgroupreply.id'
rlm_sql_postgresql: query: SELECT radgroupreply.id,
radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value,
radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE
usergroup.Username = 'dhorton' AND usergroup.GroupName =
radgroupreply.GroupName ??ORDER BY radgroupreply.id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: affected rows =
rlm_sql (sql): No matching entry in the database for request from user
[dhorton]
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns notfound for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type DIGEST
auth: type "digest"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_digest: Configuration item "User-Password" is required for
authentication.
  modcall[authenticate]: module "digest" returns invalid for request 0
modcall: group authenticate returns invalid for request 0
auth: Failed to validate the user.
Login incorrect: [dhorton/NULL] (from client pcs-network port 0)

More information about the Freeradius-Users mailing list