Digest using an external database for the Password

Alan DeKok aland at deployingradius.com
Thu Apr 25 14:46:47 CEST 2013

Mike Brennan wrote:
>     * Use Digest Authentication
>     * The password is stored in an external database (it has a
>       complicated schema) that I am connecting to via sql.conf.
>     * I want to extract the password from this database so that it can
>       be used in Digest Authentication (SIP – using RFC 4590)

  Is the password stored in clear-text?  If so, it can work.  If not,
it's impossible.

> Is it possible to get the Cleartext-Password (or is it the
> User-Password) from my external database through authorize_check_query ?

  Yes.  But you need to edit it.

> If so, how do I assign this attribute to the value returned in my query?

  You create an "Attribute = value", like with everything else in the

> I can’t store any information in my external database as I am not
> allowed to create any tables

  That's fine.

> The following query would return the password – can I use it in
>  authorize_check_query?
> authorize_check_query="SELECT password FROM fusion.cdm_credentials WHERE
> person_id=(SELECT person_id FROM fusion.cdm_person WHERE
> user_name='%{User-Name}');"

  No.  The authorize_check_query needs to return "Attribute = value", as
shown by the default configuration.  You can update your query to return

  Or, don't use "sql" in the "authorize" section, as it expects to see
the default FreeRADIUS schema.  List "sql" in "instantite", and then do:

authorize {
	update control {
		Cleartext-Password := "%{sql: SELECT password FROM fusion ...}"


  i.e. if you have a SELECT which returns a password, you can assign
that directly to the Cleartext-Password attribute yourself.

> Or am I totally off track?


  Alan DeKok.

More information about the Freeradius-Users mailing list