I'm a newbie with freeradius (understand radius protocol though), and I'm struggling with some basics of configuration re: digest authentication and use of postgresql for subscriber database. I haven't found much documentation so far on the freeradius site about authentication using sql (besides the basic install of the schema), and I feel I'm probably missing something/somewhere, so please feel free to point me towards docs if this is covered somewhere. Anyways, my simple attempt at digest authentication is currently failing. Here is what I have done: 1. Provisioned the following simple data in my postgresql radius database (this is the area where I'm most in the dark, any pointers to information on the purpose and use of each of these tables would be useful): radius=# select * from radreply ; id | username | attribute | op | value ----+----------+--------------+----+------- 1 | dhorton | Idle-Timeout | == | 60 (1 row) radius=# select * from radcheck ; id | username | attribute | op | value ----+----------+-----------+----+------- 1 | dhorton | Password | == | 0276 (1 row) radius=# select * from usergroup ; id | username | groupname ----+----------+----------- 2 | dhorton | pactolus (1 row) 2. Edited my radiusd.conf file to uncomment the 'digest' lines in the 'authorize' and 'authenticate' sections. 3. Send an access-request message that looks like this (here is debug output from radiusd): rad_recv: Access-Request packet from host 10.10.105.11:1812, id=1, length=579 User-Name = "dhorton" User-Password = "NULL" NAS-IP-Address = 10.10.105.11 NAS-Port = 0 Cisco-AVPair = "h323-incoming-conf-id=664A92F5 C5305B22 A8C5F339 06C5803D" h323-conf-id = "h323-conf-id=68F37347 92CF847A 3676C449 5361F60E" Cisco-NAS-Port = "0:0" Cisco-AVPair = "sip-hdr=From: Dave Horton <sip:dhorton@voip.dogan.com>" Cisco-AVPair = "sip-hdr=Authorization: Digest username="dhorton",realm="voip.dogan.com",nonce="3e320b5b5dbd4a37cb7168b f607455b5",response="325d8976711bc76a7c1a25b53c8b0cf9",uri="sip:voip.dog an.com"" Acct-Status-Type = Start NAS-Port-Type = Virtual Digest-Response = "325d8976711bc76a7c1a25b53c8b0cf9" Digest-Attributes = 0x0110766f69702e646f67616e2e636f6d02223365333230623562356462643461333763 62373136386266363037343535623504147369703a766f69702e646f67616e2e636f6d03 0a52454749535445520a0964686f72746f6e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/10.10.105.11/auth-detail-20051019' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m% d expands to /usr/local/var/log/radius/radacct/10.10.105.11/auth-detail-20051019 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_digest: Converting Digest-Attributes to something sane... Digest-Realm = "voip.dogan.com" Digest-Nonce = "3e320b5b5dbd4a37cb7168bf607455b5" Digest-URI = "sip:voip.dogan.com" Digest-Method = "REGISTER" Digest-User-Name = "dhorton" rlm_digest: Adding Auth-Type = DIGEST modcall[authorize]: module "digest" returns ok for request 0 rlm_realm: No '@' in User-Name = "dhorton", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 radius_xlat: 'dhorton' rlm_sql (sql): sql_set_user escaped user --> 'dhorton' radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'dhorton' ??ORDER BY id' rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radcheck ??WHERE Username = 'dhorton' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'dhorton' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id' rlm_sql_postgresql: query: SELECT radgroupcheck.id, radgroupcheck.GroupName, ??radgroupcheck.Attribute, radgroupcheck.Value,radgroupcheck.Op ??FROM radgroupcheck, usergroup ??WHERE usergroup.Username = 'dhorton' AND usergroup.GroupName = radgroupcheck.GroupName ??ORDER BY radgroupcheck.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'dhorton' ??ORDER BY id' rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op ??FROM radreply ??WHERE Username = 'dhorton' ??ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = radius_xlat: 'SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'dhorton' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id' rlm_sql_postgresql: query: SELECT radgroupreply.id, radgroupreply.GroupName, radgroupreply.Attribute, ??radgroupreply.Value, radgroupreply.Op ??FROM radgroupreply,usergroup ??WHERE usergroup.Username = 'dhorton' AND usergroup.GroupName = radgroupreply.GroupName ??ORDER BY radgroupreply.id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: affected rows = rlm_sql (sql): No matching entry in the database for request from user [dhorton] rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module "sql" returns notfound for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type DIGEST auth: type "digest" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_digest: Configuration item "User-Password" is required for authentication. modcall[authenticate]: module "digest" returns invalid for request 0 modcall: group authenticate returns invalid for request 0 auth: Failed to validate the user. Login incorrect: [dhorton/NULL] (from client pcs-network port 0)