Freeradius, PostgreSQL and One-Time-Password backends

Ivan Kalik tnt at
Fri Jun 12 17:26:24 CEST 2009

> The question was "how does freeradius talk to authentication database".
> What does it send to it and what does it get back?
> I´ll do my best to explain.
> Access-Request packet from NAS/AAA-client contains:
> User-Name
> User-Password (One-Time-Password)
> NAS-IP-Address
> FreeRadius checks with SQL:
> Is user allowed to access through this (NAS-IP-Address)?
> Check User-Name / profile.

OK, that can all be done in radcheck/radgroupcheck perhaps (sql)huntgroups
as well.

> To which server do i proxy authentication
> request?

This is probaly stored in user sql entry? You will probably need to use
unlang switch statement to set Proxy-To-Realm attribute. Create realms for
authentication servers in proxy.conf.

> Access-Request packet sent to authentication server (OTP system).
> Is User-name/User-Password ok?
> Authentication server responds: Access-Accept/Reject.
> If Access-Accept. Reply goes to FreeRadius.

That will all work by default.

> FreeRadius checks with SQL.
> What Reply attributes to send to NAS/AAA-client.
> IETF (attribute 25, Class). etc..

That can be sorted in post-auth or post-proxy section. You can list
sql.authorize there and get reply attributes at that stage.

Ivan Kalik
Kalik Informatika ISP

More information about the Freeradius-Users mailing list