Suppress radpostauth password logging with unlang variable reference

Sam Hutchings samhutchings1415 at gmail.com
Thu May 14 20:27:25 UTC 2026 

Hi All,

PostgreSQL datastore is logging passwords in plain text in the
'radpostauth' table for accepted and rejected requests. This is
occurring even when 'auth_goodpass' and 'auth_badpass' are set to 'no'
- which this looks to be only relevant to logging to radius.log.

I could comment out '-sql' in the 'post-auth' section of the server or
amend the queries.conf for sql to remove the password. However, for
flexibility/simplicity I have looked into using unlang to suppress the
attribute.

I would like to use the variable reference from radiusd.conf for
auth_goodpass/auth_badpass to control whether the User-Password is
suppressed ideally for efficiency.

The unlang is as follows in the 'post-auth' section of the default server:

     if (${log.auth_goodpass}) {
        -sql
    }
    else {
        suppress {
            User-Password
        }
        -sql
    }

This throws the below error:

/etc/freeradius/sites-enabled/default[919]: Parse error in condition
/etc/freeradius/sites-enabled/default[919]: (${log.auth_goodpass}) {
/etc/freeradius/sites-enabled/default[919]:  ^ Expected a module return code

I have then attempted to set a variable called 'auth_good' as 'false'
in the default server and referenced it as ${.auth_good} instead but
encountered the same issue.

If anyone has any advice on how to achieve this or where I am going
wrong, it would be much appreciated.

Kind regards,
Sam

FreeRADIUS Version 3.2.8
Copyright (C) 1999-2025 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT

FreeRADIUS is developed, maintained, and supported by InkBridge Networks.
For commercial support, please email sales at inkbridgenetworks.com
https://inkbridgenetworks.com/
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius/dictionary
including dictionary file /usr/share/freeradius/dictionary.dhcp
including dictionary file /usr/share/freeradius/dictionary.vqp
including dictionary file /etc/freeradius/dictionary
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/mods-enabled/
including configuration file /etc/freeradius/mods-enabled/always
including configuration file /etc/freeradius/mods-enabled/attr_filter
including configuration file /etc/freeradius/mods-enabled/chap
including configuration file /etc/freeradius/mods-enabled/date
including configuration file /etc/freeradius/mods-enabled/detail
including configuration file /etc/freeradius/mods-enabled/detail.log
including configuration file /etc/freeradius/mods-enabled/digest
including configuration file /etc/freeradius/mods-enabled/dynamic_clients
including configuration file /etc/freeradius/mods-enabled/eap
including configuration file /etc/freeradius/mods-enabled/echo
including configuration file /etc/freeradius/mods-enabled/exec
including configuration file /etc/freeradius/mods-enabled/expiration
including configuration file /etc/freeradius/mods-enabled/expr
including configuration file /etc/freeradius/mods-enabled/files
including configuration file /etc/freeradius/mods-enabled/linelog
including configuration file /etc/freeradius/mods-enabled/logintime
including configuration file /etc/freeradius/mods-enabled/mschap
including configuration file /etc/freeradius/mods-enabled/ntlm_auth
including configuration file /etc/freeradius/mods-enabled/pap
including configuration file /etc/freeradius/mods-enabled/passwd
including configuration file /etc/freeradius/mods-enabled/preprocess
including configuration file /etc/freeradius/mods-enabled/proxy_rate_limit
including configuration file /etc/freeradius/mods-enabled/radutmp
including configuration file /etc/freeradius/mods-enabled/realm
including configuration file /etc/freeradius/mods-enabled/replicate
including configuration file /etc/freeradius/mods-enabled/soh
including configuration file /etc/freeradius/mods-enabled/sradutmp
including configuration file /etc/freeradius/mods-enabled/totp
including configuration file /etc/freeradius/mods-enabled/unix
including configuration file /etc/freeradius/mods-enabled/unpack
including configuration file /etc/freeradius/mods-enabled/utf8
including configuration file /etc/freeradius/mods-enabled/sql
including configuration file
/etc/freeradius/mods-config/sql/main/postgresql/queries.conf
including files in directory /etc/freeradius/policy.d/
including configuration file /etc/freeradius/policy.d/abfab-tr
including configuration file /etc/freeradius/policy.d/accounting
including configuration file /etc/freeradius/policy.d/canonicalization
including configuration file /etc/freeradius/policy.d/control
including configuration file /etc/freeradius/policy.d/cui
including configuration file /etc/freeradius/policy.d/debug
including configuration file /etc/freeradius/policy.d/dhcp
including configuration file /etc/freeradius/policy.d/eap
including configuration file /etc/freeradius/policy.d/filter
including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids
including configuration file /etc/freeradius/policy.d/operator-name
including configuration file /etc/freeradius/policy.d/rfc7542
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
/etc/freeradius/sites-enabled/default[919]: Parse error in condition
/etc/freeradius/sites-enabled/default[919]: (${.auth_good}) {
/etc/freeradius/sites-enabled/default[919]:  ^ Expected a module return code
Errors reading or parsing /etc/freeradius/radiusd.conf

More information about the Freeradius-Users mailing list