Dear Users -- This is my first posting to the FreeRADIUS users list, so please be patient :) I'm working on an installation of FreeRADIUS which seeks to leverage Postgres as a user store. Here are the basics of my platform: - CentOS 6.4 x86 - FreeRADIUS version 2.1.12 w/the following packages installed: # rpm -qa | grep radius freeradius-python-2.1.12-4.el6_3.i686 freeradius-2.1.12-4.el6_3.i686 freeradius-postgresql-2.1.12-4.el6_3.i686 freeradius-utils-2.1.12-4.el6_3.i686 - PostgreSQL server v/8.4.13 with the following packages installed: # rpm -qa | grep postgres postgresql-libs-8.4.13-1.el6_3.i686 postgresql-8.4.13-1.el6_3.i686 freeradius-postgresql-2.1.12-4.el6_3.i686 postgresql-server-8.4.13-1.el6_3.i686 Before attempting to integrate Postgres into the mix, I confirmed I had a working installation using /etc/raddb/users as a user store: Output of radiusd -X on startup: # radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct 3 2012 at 01:20:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm NULL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client MY.PUBLIC.IP.ADDRESS { require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_postgresql" server = "localhost" port = "5432" login = "DBusername" password = "DBpassword" radius_db = "DBname" read_groups = yes sqltrace = yes sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (sql): Attempting to connect to DBusername@localhost:5432/DBname rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 50615 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. radiusd -X output when a connection attempt is made: rad_recv: Access-Request packet from host MY.PUBLIC.IP.ADDRESS port 46082, id=212, length=81 User-Name = "radiususer" User-Password = "radiususerPW" NAS-IP-Address = MY.PUBLIC.IP.ADDRESS NAS-Port = 1812 Message-Authenticator = 0x9a4e81ce77f497c38f6011cbb6f92c1f # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radiususer", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "radiususer" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry radiususer at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "radiususerPW" [pap] Using clear text password "radiususerPW" [pap] User authenticated successfully ++[pap] returns ok Login OK: [radiususer/radiususerPW] (from client MY.PUBLIC.IP.ADDRESS port 1812) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 212 to MY.PUBLIC.IP.ADDRESS port 46082 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 212 with timestamp +332 Ready to process requests. The radtest command of said connection attempt: # radtest radiususer radiususerPW 127.0.0.1 1812 testing123 Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = "radiususer" User-Password = "radiususerPW" NAS-IP-Address = MY.PUBLIC.IP.ADDRESS NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=20 As a sanity check, after making numerous changes to my configs, I reverted back to flatfile based auth by simply reverting the authorization {} section of /etc/raddb/sites-available/default from 'sql' back to 'files'. Flatfile based auth, as shown above, works great. Here's the output of radiusd -X startup with 'sql' enabled in /etc/raddb/sites-available/default: # radiusd -X FreeRADIUS Version 2.1.12, for host i386-redhat-linux-gnu, built on Oct 3 2012 at 01:20:08 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/modules/ including configuration file /etc/raddb/modules/expr including configuration file /etc/raddb/modules/expiration including configuration file /etc/raddb/modules/soh including configuration file /etc/raddb/modules/pam including configuration file /etc/raddb/modules/acct_unique including configuration file /etc/raddb/modules/rediswho including configuration file /etc/raddb/modules/detail.log including configuration file /etc/raddb/modules/unix including configuration file /etc/raddb/modules/sqlcounter_expire_on_login including configuration file /etc/raddb/modules/smbpasswd including configuration file /etc/raddb/modules/attr_filter including configuration file /etc/raddb/modules/passwd including configuration file /etc/raddb/modules/policy including configuration file /etc/raddb/modules/pap including configuration file /etc/raddb/modules/counter including configuration file /etc/raddb/modules/logintime including configuration file /etc/raddb/modules/radutmp including configuration file /etc/raddb/modules/detail including configuration file /etc/raddb/modules/files including configuration file /etc/raddb/modules/mac2vlan including configuration file /etc/raddb/modules/mschap including configuration file /etc/raddb/modules/chap including configuration file /etc/raddb/modules/checkval including configuration file /etc/raddb/modules/cui including configuration file /etc/raddb/modules/opendirectory including configuration file /etc/raddb/modules/realm including configuration file /etc/raddb/modules/ippool including configuration file /etc/raddb/modules/digest including configuration file /etc/raddb/modules/echo including configuration file /etc/raddb/modules/attr_rewrite including configuration file /etc/raddb/modules/wimax including configuration file /etc/raddb/modules/otp including configuration file /etc/raddb/modules/preprocess including configuration file /etc/raddb/modules/inner-eap including configuration file /etc/raddb/modules/ntlm_auth including configuration file /etc/raddb/modules/linelog including configuration file /etc/raddb/modules/always including configuration file /etc/raddb/modules/replicate including configuration file /etc/raddb/modules/sradutmp including configuration file /etc/raddb/modules/perl including configuration file /etc/raddb/modules/smsotp including configuration file /etc/raddb/modules/detail.example.com including configuration file /etc/raddb/modules/mac2ip including configuration file /etc/raddb/modules/redis including configuration file /etc/raddb/modules/exec including configuration file /etc/raddb/modules/sql_log including configuration file /etc/raddb/modules/dynamic_clients including configuration file /etc/raddb/modules/etc_group including configuration file /etc/raddb/eap.conf including configuration file /etc/raddb/sql.conf including configuration file /etc/raddb/policy.conf including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/control-socket including configuration file /etc/raddb/sites-enabled/inner-tunnel main { user = "radiusd" group = "radiusd" allow_core_dumps = no } including dictionary file /etc/raddb/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } realm NULL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client MY.PUBLIC.IP.ADDRESS { require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/raddb/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" CA_file = "/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/raddb/certs/dh" random_file = "/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/raddb/modules/preprocess preprocess { huntgroups = "/etc/raddb/huntgroups" hints = "/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /etc/raddb/sql.conf sql { driver = "rlm_sql_postgresql" server = "localhost" port = "5432" login = "DBusername" password = "DBpassword" radius_db = "DBname" read_groups = yes sqltrace = yes sqltracefile = "/var/log/radius/sqltrace.sql" readclients = no deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_postgresql (module rlm_sql_postgresql) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:5432/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_postgresql #4 rlm_sql (sql): Connected new DB handle, #4 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/raddb/modules/files files { usersfile = "/etc/raddb/users" acctusersfile = "/etc/raddb/acct_users" preproxy_usersfile = "/etc/raddb/preproxy_users" compat = "no" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/raddb/modules/detail detail { detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/var/run/radiusd/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 35200 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. Here's the output of radiusd -X when attempting a connection using radtest: rad_recv: Access-Request packet from host MY.PUBLIC.IP.ADDRESS port 34392, id=60, length=81 User-Name = "radiususer" User-Password = "radiususerPW" NAS-IP-Address = MY.PUBLIC.IP.ADDRESS NAS-Port = 1812 Message-Authenticator = 0xf8872e5e9c6a7bbba510ae5d03b8f18c # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "radiususer", looking up realm NULL [suffix] Found realm "NULL" [suffix] Adding Stripped-User-Name = "radiususer" [suffix] Adding Realm = "NULL" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] No EAP-Message, not doing EAP ++[eap] returns noop rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [radiususer/radiususerPW] (from client MY.PUBLIC.IP.ADDRESS port 1812) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> radiususer attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 60 to MY.PUBLIC.IP.ADDRESS port 34392 Waking up in 4.9 seconds. Here's the output of the radtest command: # radtest radiususer radiususerPW 127.0.0.1 1812 testing123 Sending Access-Request of id 60 to 127.0.0.1 port 1812 User-Name = "radiususer" User-Password = "radiususerPW" NAS-IP-Address = MY.PUBLIC.IP.ADDRESS NAS-Port = 1812 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=60, length=20 I can see from the debug output that it's complaining about the user being invalid. So here's what my DB looks like: DBname=# select * from radcheck; id | username | attribute | op | value ----+-------------+--------------------+----+-------------------- 1 | radiususer | Cleartext-Password | := | radiususerPW DBname=# select * from radreply; id | username | attribute | op | value ----+-------------+-------------------+----+--------------------- 1 | radiususer | Framed-IP-Address | := | MY.PUBLIC.IP.ADDRESS The schema for this DB was created from /etc/raddb/sql/postgresql/schema.sql. None of the other .sql files were imported from this directory. I saw no documentation directing me to do so. Speaking of schema, I did see one oddity in the /etc/raddb/sql/postgres/dialup.conf which differed from the schema I have. I attempted making a change to the SQL query in dialup.conf but it did not change the results provided above: Originally provided in the config: authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id" Note capitalization of the fields and the order of the fields does not match what I have in my schema. I changed it to: authorize_check_query = "SELECT id, username, attribute, op, value \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" Like I said, nothing changed in the result. I also changed the SQL statement for authorize_reply_query to reflect the non-caps fields I have as well as the order of the fields. What else is left to provide as far as details? Here are my configs themselves. For ease of communication, I am using 'grep -v '#" to show only the pertinent parts. /etc/raddb/radiusd.conf # grep -v '#' /etc/raddb/radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc confdir = /etc/raddb localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = radiusd group = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf $INCLUDE ${confdir}/sql.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf\ $INCLUDE sites-enabled/ accounting { detail sql } /etc/raddb/sql.conf sql { database = "postgresql" driver = "rlm_sql_${database}" server = "localhost" port = 5432 login = "DBusername" password = "DBpassword" radius_db = "DBname" acct_table1 = "radacct" acct_table2 = "radacct" postauth_table = "radpostauth" authcheck_table = "radcheck" authreply_table = "radreply" groupcheck_table = "radgroupcheck" groupreply_table = "radgroupreply" usergroup_table = "radusergroup" deletestalesessions = yes sqltrace = yes sqltracefile = ${logdir}/sqltrace.sql num_sql_socks = 5 connect_failure_retry_delay = 60 lifetime = 0 max_queries = 0 nas_table = "nas" } /etc/raddb/sql/postgres/dialup.conf sql_user_name = "%{Stripped-User-Name}" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM ${nas_table}" authorize_check_query = "SELECT id, username, attribute, op, value \ FROM ${authcheck_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, op, value \ FROM ${authreply_table} \ WHERE username = '%{SQL-User-Name}' \ ORDER BY id" authorize_group_check_query = "SELECT id, GroupName, Attribute, Value, op \ FROM ${groupcheck_table} \ WHERE GroupName = '%{Sql-Group}' \ ORDER BY id" authorize_group_reply_query = "SELECT id, GroupName, Attribute, Value, op \ FROM ${groupreply_table} \ WHERE GroupName = '%{Sql-Group}' \ ORDER BY id" \accounting_onoff_query = "UPDATE ${acct_table1} \ SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \ AcctSessionTime = (EXTRACT(EPOCH FROM ('%S'::timestamp with time zone - AcctStartTime::timestamp with time zone \ - '%{%{Acct-Delay-Time}:-0}'::interval)))::BIGINT, \ AcctTerminateCause = '%{Acct-Terminate-Cause}', \ AcctStopDelay = 0 \ WHERE AcctStopTime IS NULL \ AND NASIPAddress= '%{NAS-IP-Address}' \ AND AcctStartTime <= '%S'::timestamp" accounting_update_query = "UPDATE ${acct_table1} \ SET FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ AcctSessionTime = '%{Acct-Session-Time}', \ AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \ AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint) \ WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress= '%{NAS-IP-Address}' AND AcctStopTime IS NULL" accounting_update_query_alt = "INSERT INTO ${acct_table1} \ (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \ NASPortId, NASPortType, AcctStartTime, \ AcctSessionTime, AcctAuthentic, AcctInputOctets, \ AcctOutputOctets, CalledStationId, CallingStationId, \ ServiceType, FramedProtocol, FramedIPAddress, XAscendSessionSvrKey) \ VALUES('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', NULLIF('%{Realm}', ''), '%{NAS-IP-Address}', \ %{%{NAS-Port}:-NULL}, '%{NAS-Port-Type}', \ ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), \ '%{Acct-Session-Time}', '%{Acct-Authentic}', \ (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \ (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', \ NULLIF('%{Framed-IP-Address}', '')::inet, '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = "INSERT INTO ${acct_table1} \ (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, \ NASPortId, NASPortType, AcctStartTime, AcctAuthentic, \ ConnectInfo_start, CalledStationId, CallingStationId, ServiceType, \ FramedProtocol, FramedIPAddress, AcctStartDelay, XAscendSessionSvrKey) \ VALUES('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ NULLIF('%{Realm}', ''), \ '%{NAS-IP-Address}', \ %{%{NAS-Port}:-NULL}, \ '%{NAS-Port-Type}', \ ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \ '%{Acct-Authentic}', \ '%{Connect-Info}', \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ NULLIF('%{Framed-IP-Address}', '')::inet, \ 0, \ '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = "UPDATE ${acct_table1} \ SET AcctStartTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \ AcctStartDelay = 0, \ ConnectInfo_start = '%{Connect-Info}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{NAS-IP-Address}' \ AND AcctStopTime IS NULL" accounting_stop_query = "UPDATE ${acct_table2} \ SET AcctStopTime = ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \ AcctSessionTime = CASE WHEN '%{Acct-Session-Time}' = '' THEN \ (EXTRACT(EPOCH FROM ('%S'::TIMESTAMP WITH TIME ZONE - AcctStartTime::TIMESTAMP WITH TIME ZONE \ - '%{%{Acct-Delay-Time}:-0}'::INTERVAL)))::BIGINT \ ELSE NULLIF('%{Acct-Session-Time}','')::BIGINT END, \ AcctInputOctets = (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \ AcctOutputOctets = (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \ AcctTerminateCause = '%{Acct-Terminate-Cause}', \ AcctStopDelay = 0, \ FramedIPAddress = NULLIF('%{Framed-IP-Address}', '')::inet, \ ConnectInfo_stop = '%{Connect-Info}' \ WHERE AcctSessionId = '%{Acct-Session-Id}' \ AND UserName = '%{SQL-User-Name}' \ AND NASIPAddress = '%{NAS-IP-Address}' \ AND AcctStopTime IS NULL" accounting_stop_query_alt = "INSERT INTO ${acct_table2} \ (AcctSessionId, AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType, AcctStartTime, AcctStopTime, \ AcctSessionTime, AcctAuthentic, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets, CalledStationId, \ CallingStationId, AcctTerminateCause, ServiceType, FramedProtocol, FramedIPAddress, AcctStopDelay) \ values('%{Acct-Session-Id}', \ '%{Acct-Unique-Session-Id}', \ '%{SQL-User-Name}', \ NULLIF('%{Realm}', ''), \ '%{NAS-IP-Address}', \ %{%{NAS-Port}:-NULL}, \ '%{NAS-Port-Type}', \ ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval - '%{%{Acct-Session-Time}:-0}'::interval), \ ('%S'::timestamp - '%{%{Acct-Delay-Time}:-0}'::interval), \ NULLIF('%{Acct-Session-Time}', '')::bigint, '%{Acct-Authentic}', \ '%{Connect-Info}', \ (('%{%{Acct-Input-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Input-Octets}:-0}'::bigint), \ (('%{%{Acct-Output-Gigawords}:-0}'::bigint << 32) + '%{%{Acct-Output-Octets}:-0}'::bigint), \ '%{Called-Station-Id}', \ '%{Calling-Station-Id}', \ '%{Acct-Terminate-Cause}', \ '%{Service-Type}', \ '%{Framed-Protocol}', \ NULLIF('%{Framed-IP-Address}', '')::inet, 0)" group_membership_query = "SELECT GroupName FROM ${usergroup_table} WHERE UserName='%{SQL-User-Name}' ORDER BY priority" postauth_query = "INSERT INTO ${postauth_table} (username, pass, reply, authdate) \ VALUES ('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())" /etc/raddb/sites-available/default authorize { preprocess chap mschap digest suffix eap { ok = return } sql expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp sql exec attr_filter.accounting_response } session { radutmp sql } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } Final notes: - I'm not certain that I'm declaring a default group without PostgreSQL, nor am I aware of how to do this. - When reviewing 'man radiusd', I see instructions to edit certain files: 4) If you need to add a connection to a database FOO (e.g. LDAP or SQL), then: a) Edit raddb/modules/foo This file contains the default configuration for the module. It contains comments describing what can be configured, and what those configuration entries mean. I do not have /etc/raddb/modules/postgresql, or sql. Which file should I be looking to edit here? b) Edit raddb/sites-available/default This file contains the default policy for the server. e.g. "enable CHAP, MS-CHAP, and EAP authentication". Look in this file for all references to your module "foo". Read the comments, and remove the leading hash ’#’ from the lines referencing the module. This enables the module. Is this referring to uncommenting 'sql' for authorization? That's one of the first things I did. c) Edit raddb/sites-available/inner-tunnel This file contains the default policy for the "tunneled" portion of certain EAP methods. Perform the same kind of edits as above, for the "default" file.. If you are not using EAP (802.1X), then this step can be skipped. d) Start the server in debugging mode ( radiusd -X ), and start testing. Apologies in advance if this type of issue has been raised and answered in the past. The FreeRADIUS wiki's SQL HOW-TO references CentOS version 5.1 which is _years_ old at this point. Other Google searches and a couple weeks of independent work on the issue have not been helpful. Thanks in advance for your help. Mark DeCheser
On 08/26/2013 12:10 AM, mdecheser@comcast.net wrote:
Dear Users --
This is my first posting to the FreeRADIUS users list, so please be patient :)
You're already doing pretty well - you actually posted a full debug, which hardly anyone does first time! Ok, so for the SQL case the server startup shows:
authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = ""
...which then causes this:
rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail
i.e. because "authorize_check_query" is blank, the SQL module fails.
I can see from the debug output that it's complaining about the user being invalid.
Sort of; that's the server core talking, based in the SQL module returning. The actual error is a few lines higher up (see above).
authorize_check_query = "SELECT id, UserName, Attribute, Value, Op \ FROM ${authcheck_table} \ WHERE Username = '%{SQL-User-Name}' \ ORDER BY id"
[info on case & ordering of fields]
This isn't actually significant in SQL; it's case-insensitive to table/column names unless you double-quote them, and ordering is as-per the query, not table def. But it's not the cause of your issue.
What else is left to provide as far as details?
Nothing, you've been very comprehensive. The actual problem seems to be that sql/postgres/dialup.conf isn't being read. The 2.x series "sql.conf" basically looks like this: sql { database = "blah" driver = "rlm_sql_${blah} ... $INCLUDE sql/${database}/dialup.conf } Check that this INCLUDE hasn't vanished or gotten lost; if you look right at the top of the server startup, it reads all the config, including all "includ"ing lines, and you can see it loads sql.conf, then policy.conf - there's no message saying it's "including dialup.conf". So, in short, the SQL queries aren't being read from your config file - check the "raddb/sql.conf" file, and compare it to the original, or the one for reference here: https://github.com/FreeRADIUS/freeradius-server/blob/release_2_1_12/raddb/sq... Finally, and not related to your issue - consider upgrading to 2.2.0 as 2.1.12 has security issues and bugs which are fixed.
hi, yes, it was received....over a bank holiday weekend. not surprised you didnt get an answer...we were all enjoying the break. the DB seems to be loading up and being connected to (and you can check this with loggin on the pgsql server...) however, THIS bit is your problems rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: -> [sql] Error generating query; rejecting user rlm_sql (sql): Released sql socket id: 4 ++[sql] returns fail Invalid user: [radiususer/radiususerPW] (from client MY.PUBLIC.IP.ADDRESS port 1812) a blank expansion for the SQL query - what have you done to the dialup.conf file in the postgres directory of sql directory?? you can edit sql.conf to enable the SQL trace file to see whats going on too alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
mdecheser@comcast.net -
Phil Mayers