Authentication Problem

Arran Cudbard-Bell a.cudbardb at
Tue Jan 13 03:09:48 CET 2015

> On 13 Jan 2015, at 06:29, Robert Graham <robert_graham at> wrote:
> Im just about at the end of my rope... I have been searching and reading
> and reading, but cannot get this to work.
> I have a external ms sql database that has three columns only. member_id,
> HashedPassword, and Salt.
> I am trying to authenticate against this database.
> 1st question is: Do I have to use the schema that is inside freeradius,

Yes if you want to use the large amount of logic embedded in the rlm_sql module,
if you want to do arbitrary queries, no.

rlm_sql was written to emulate the users file. The schema fully represents a 
users file in SQL, that's what all the logic in rlm_sql is doing, taking SQL 
data and processing it in a similar way to the users file.

> and if I do not, how do I get FR to auth without using all the tables that
> are preinstalled in the schema?


update {
	Tmp-String-0 := "%{sql:SELECT field FROM table WHERE ...}"

It will only get you the first value of the first column, so you'll need
to do it three times, or concatenate the column values with commas, and
split the string using a regular expression.

> This is what I have but yet I know it is incorrect. I dont want to use any
> groups, it is strictly for someone to logon to our vpn and wireless
> connections. The passwords are stored in SHA-512 with Salt and unicoding.
> Is it even possible or am I wasting my time? I am running 3.0.6 of FR.
> These are the only columns in the database. 

If you'd responded to the comment in my previous email:

"Sounds like this discussion is irrelevant as OP doesn't require SHA2 in v2.2.x
anyway, but I would be curious if they require SSHA2 support, and what the FIPS
guidelines say on salting the hashes, and whether that's vital."

I would have added support for salted SHA512 last weekend, as it is, no the 
server doesn't support salted SHA512.

I included a basic description of the feature in my previous email, Alan or one
of the other development team may add it for you, but I don't have time now.

> recreating the database isnt likely to happen, having almost 19,000 rows
> in the table.

That's a pretty small row set TBH.

> authorize_check_query = "\
> 	SELECT member_id, HashedPassword, Salt \
> 	FROM ${dbo.vw_Main_table} \
> 	WHERE UserName = '%{SQL-User-Name}'"


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

More information about the Freeradius-Users mailing list