05/12/2011

FreeRadius and M SQL HowTo Notes

SB's ver rough notes to

FreeRadius and M SQL

WARNING! This page is out of date and is no longer maintained. Do NOT use these instructions for current versions of FreeRadius - the ma not work and ma break our FreeRadius. Please visit the FreeRadius Wiki - SQL HowTo for the latest details. This page ma be useful for historical reasons or background reading onl .
Sco Ba le ( con ac ). La pda ed Ma ch 20 h 2005. F eeRadi Wi h hank o BTA Limi ed fo ho ing hi page. i c en l a e ion 1.0.2.

This page is an update on m original notes, hopefull now with things in a more readable order to make life easier. The original notes can be found here. The main notes below are basicall unchanged from update on 10th Februar 2003. Since then I am now running FreeRadius 1.0.2 with M SQL 4.1.10, having upgraded from FreeRadius 0.8.1 and M SQL 3.23. In summar : the onl thing of note I needed to do, aside from a standard compile of FreeRadius and a standard rpm upgrade for M SQL, was to cop hints, huntgroups and all the dictionar (dictionar *) from the FreeRadius 1.0.2 source raddb director to m live one and replace the old ones. That seemed to do the trick, at least for what I need. Introduction In Sep embe 2001 I a ed pla ing a o nd i h F eeRadi ( hen a e ion 0.2!) and o ing e a ho i a ion de ail in a M SQL da aba e. I had p e io l been ing a p op ie a RADIUS ol ion and an ed id of i . Lo of people eemed o be po ing o he f ee adi - e li ha he e e ing o do he ame and fo nd i ick d e o he lack of doc men a ion. Th , o help an one o he e ho needed i , I o e do n all he nippe of info, ip I'd ecei ed, and ep I'd ed o make i o k. Thi i he e l . Thi doc men a me ha o a e familia i h:

*ni em admin and ne o king Wha RADIUS i and ho ld do M SQL admini a ion The ba ic of ho o compile and in all open o

ce of

a e.

I'm no going o de c ibe an of he abo e ff, e peciall he la e a I'm fa f om an e pe on i . Thi doc men foc e on ge ing F eeRadi nning i h M SQL. I doe NOT de c ibe a ba ic F eeRadi in alla ion in de ail (e.g. ge ing i p and nning i h a ' e ' e file o o he F eeRadi config a ion ), no doe i co e ing m l iple a hen ica ion me hod , fall- h o gh' o an of ha ff. J plain-old-M SQL-onl . If o don' kno abo RADIUS i elf, go do ome backg o nd eading... he O'Reill book ('RADIUS') i p e good and co e F eeRadi oo. Plea e no e: Thi i n' official doc men a ion. I ' no e en UNofficial doc men a ion. I ' no doc men a ion of an pe b an e ch of he imagina ion. So fa , i ' j m o n pe onal no e , i en on he fl . Li le edi ing, li le de ail. Yo ake o chance . I ill o imp o e hen I can, o ha e addi ional info ma ion - don' hold o b ea h ho gh, a life can ge b a o nd he e. The no e foc on he SQL elemen , NOT gene all on ge ing F eeRadi in alled and config ed and ope a ional i h e file (ma be la e !) al ho gh he e i a li le bi on ha . Al o no e: I'm no a p og amme - edi ing lo -le el code and compiling ff i no ome hing I'm pa ic la l familia i h. A k me o ead C code and I'll p obabl panic. M backg o nd and e pe ience on Lin (and o he ff) p me in he em admin/ne o king b acke (I'm a ne o k b ilde and eb app de elope b da ), o plea e bea ha in mind he e. Feel f ee o mail me, e peciall i h gge www.frontios.com/freeradius.html ion and an info ef l o add he e, b plea e don' a k me 'ho oI
1/9

05/12/2011

FreeRadius and M SQL HowTo Notes

, ' L . T : , . , .

'

'

S stem I C F 3640 R 0.8.1. I ' S S L NAS 7.0 . T I F R 0.2 R H M SQL 3.23.42 7.1. T I' .

Before You Start B M SQL I ' C PPP ( . . , DSL F R , , NAS, ) ' RADIUS : NAS , . IOS

aan -oe a e mdl aaa hniainppdf l i-eddgop ai lcl a e c o p ea fnee d oa aaa h iainn okdf l gop ai a o o e ea d aaac nig paen if a co n d e no aaac nigee df l a co n c ea a - o gop ai p d aaac nign okdf l a - a gop ai a co n e ea i d aaac nigcne indf l a co n onc o ea a - o gop ai p d ai -e e h d o abcda hp ... -o ai -e e h d o efgha hp ... -o ai -e e k YU-AISKY d e ORRDU-E 14 ac-o 65 c p 14 ac-o 65 c p 14 66 14 66

[ . . . . . . RADIUS M F J SURE R . /

IP' . . T (

RADIUS ). ] M SQL , I ' ( M SQL

. YOUR-RADIUS-KEY

M SQL ) . M ?N ?M

: ABSOLUTELY MAKE SURE M SQL, . , ... ;-) I M SQL

Getting Started F , ( . . / , ), 1- G :// 2- U . ' F . ' R / F ) R . T , I' : / / . O :

www.frontios.com/freeradius.html 2/9

. I

'

CVS ,

05/12/2011

FreeRadius and M SQL HowTo Notes

a f fe ai .a. e d g c fe ai d e d .cni e /ofg mk ae mk i al ae n l N , T , : 1- E / / , (. . 2- E / 3- E / / / / . 4- E / / NAS F ' ' , !). T A : / L , READ THE DEBUG, Y : a e d S , ' 1645, ', a e d A enm p ae a ' : fe im ai .oancm14 m e e d la d dmi.o 65 c :
3/9

./ F R ' F R F / / . . T :Y ). . . I ' R OK ,

M SQL

. I

. T NAS ( ). T ' . T

'

'

/ . I'

/ ( . . L , C . I , I M SQL . I ) ' '

RADIUS ... 'DEFAULT LOCAL' ' . I . F ' , I ( I ' I ' . A / (I' (I' ' ' '

/ F

/ R

/ 1645 ( . I

. ) ) ' ' , ' ! I' ' . / / /

' ). A '

R ' . '

. Y

/oa/bn ai dlcl i/ d X , , F R . Y e e c ' ' IP) . . . ', ' . . I

od e enm p ae o ' ( ' ',

www.frontios.com/freeradius.html

05/12/2011

FreeRadius and M SQL HowTo Notes

And you should get back something like: SnigAcs-eus o i 26t 1700114 edn cesRqet f d 2 o 2...:65 Ue-ae='rd srNm fe' Ue-asod='3422\2B073632K3230;' srPswr \0\3336\1\7\2?\3\5Z NSI-drs =rdu.oancm A-PAdes aisdmi.o NSPr =14 A-ot 65 rdrc :Acs-cetpce fo hs 1700114,d26 lnt=6 a_ev cesAcp akt rm ot 2...:65i=2, egh5 Fae-PAdes=8.4111 rmdI-drs 08.6. Fae-rtcl=PP rmdPooo P SrieTp =Fae-sr evc-ye rmdUe Fae-opeso =VnJcbo-C-P rmdCmrsin a-aosnTPI Fae-P Ntak=25252525 rmdI- ems 5.5.5.5 You should get an 'Access Accept' response. If you don't, do not pass Go, do not collect back and check e e hing. Read the docs, READ THE DEBUG!! 200. Go

Personally, I used NTradPing (downloadable from MasterSoft) on a desktop Windows PC to send test packets towards the radius server - very handy tool. If you do this, or test from any other machine, remember your PC (or other machine) needs to be in your NAS list in clients.conf too! OK, o a hi poin o ho ld ha e e -file a hen ica ion o king in F eeRadi ...

Setting up the RADIUS database in M SQL First, you should a new empty 'radius' database in MySQL and login user with permissions to that database. You could of course call the database and the user anything you like but we'll stick to 'radius' for both for the purposes of this discussion Next up, you need to create the schema for the database. There is a file which describes this and is actually a SQL script file. It can be found at /src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql where you untar'd FreeRadius. This is the bit that, at least at the time I originally wrote these notes, wasn't really documented anywhere and was the thing most people seemed to be asking. How you run that script is up to you and how you like to admin MySQL. The easiest way is to: msl-ro -rops rdu <d_yq.q yq uot potas ais bmslsl ...where 'root' and 'rootpass' are your mysql root name and password respectively. I happened to run it using MacSQL 2.0 on my Powerbook G4/OS X machine (Cool...). You could do it on the server, or use a MySQL admin tool from a Windows PC (e.g. MySQL CC, SQLion, dbtools etc) or whatever. Now you have the database running, albeit empty.

Configuring FreeRadius to use M SQL Edit /usr/local/etc/raddb/sql.conf and enter the server, name and password details to connect to your MySQL server and the RADIUS database. The database and table names should be left at the defaults if you used the default schema. For testing/debug purposes, switch on sqltrace if you wish FreeRadius will dump all SQL commands to the debug output with this on. If you're stripping all realm names (i.e. you want user [email protected] to authenticate as just 'joe'), then in sql.conf, under the 'query config: username' section, you MAY need to adjust the
www.frontios.com/freeradius.html

line(s) referring to sql_user_name. I needed to do this originally because we want to dump all

4/9

05/12/2011

FreeRadius and M SQL HowTo Notes

line(s) referring to sql_user_name. I needed to do this originally because we want to dump all realms, but you probably won't need to do this with the latest FreeRadius. For example, in our case I needed to uncomment the line: slue_ae='{tipdUe-ae' q_srnm %Srpe-srNm ...and comment out the following line referring to just User-Name. If you want to see what's happening here, switch on all the logging options in radiusd.conf and run radiusd in debug mode (-X) to see what's happening : you'll see " user@domain" being passed to MySQL when using User-Name, but just "user" when using Stripped-User-Name. Using the latter, realms worked for me (basically, I strip everything, as all user names are unique on the server anyway). Of course, set all your other SQL options as needed (database login details, etc) Edit /usr/local/etc/raddb/radiusd.conf and add a line saying 'sql' to the authorize{ section (which is towards the end of the file). The best place to put it is just before the 'files' entry. Indeed, if you'll j be using MySQL, and not falling back to text files, you could comment out or lose the 'files' entry altogether. Also add a line saying 'sql' to the accounting{ section too between 'unix' and 'radutmp'. FreeRadius will now do accounting to MySQL as well. The end of your radiusd.conf should then look something like this: atoie{ uhrs percs rpoes ca hp mca shp #one cutr #trfle at_itr #a ep sfi ufx sl q #ie fls #t_mpsw ecsbasd

atetct { uhniae attp PP{ uhye A pp a attp CA { uhye HP ca hp attp M-HP uhye SCA{ mca shp #a pm #nx ui #uhyeLA { attp DP # la dp #

pect{ rac percs rpoes sfi ufx #ie fls

www.frontios.com/freeradius.html

5/9

05/12/2011

FreeRadius and M SQL HowTo Notes

acutn conig ac_nqe ctuiu dti eal #one cutr ui nx sl q rdtp aum #rdtp saum

ssin eso rdtp aum

Populating M SQL Y h hi : I I d c ea ed e d da a i he da aba e e agai . I g e e hi g i e

e g , e ie a chi g a e acc a e ag a e. adchec , a e f each e acc a e i h a 'Pa d' a ib e i h a a e f hei a d. I ad e , c ea e e ie f each e - ecific adi e a ib e agai hei e a e I adg e , c ea e a ib e be e ed a g e be He e' a d f ab e f he ' adi ' da aba e f c a i ). Thi e a e i c de h ee e , e i h a d a ica e a ig ed a a ic IP (ba e ), a d e e e e i g a dia msl slc *fo uegop yq> eet rm srru; +-----------------+-------+-----+ i d UeNm srae Gopae ruNm +-----------------+-------+-----+ 1 fef rd dnmc yai 2 bre any sai ttc 2 darue ilotr ntil eda +-----------------+-------+-----+ 3rw i st(.0sc os n e 00 e) msl slc *fo rdhc; yq> eet rm acek +----------+-----------------+----+----------------+------------+ i d UeNm srae Atiue trbt Vle au O p +----------+-----------------+----+----------------+------------+ 1 fef rd Pswr asod wla im = = 2 bre any Pswr asod bty et = = 2 darue ilotr Pswr asod dau ilp = = +----------+-----------------+----+----------------+------------+ 3rw i st(.2sc os n e 00 e) msl slc *fo rdrucek yq> eet rm agophc; +--------+---------+----------+----+------------------------------+ i d Gopae ruNm Atiue trbt Vle au O p +--------+---------+----------+----+------------------------------+
www.frontios.com/freeradius.html

e b (edi ed igh f ig ed IP b he NAS (f edf), ed c ec i (dia e ):

dnmc yai

At-ye uhTp

Lcl oa

: =

6/9

05/12/2011

1 dnmc yai At-ye uhTp Lcl oa : = 2 sai ttc At-ye uhTp Lcl oa : = 3 ntil eda At-ye uhTp Lcl oa : = +--------+---------+----------+----+------------------------------+ 3rw i st(.1sc os n e 00 e) msl slc *fo rdel; yq> eet rm arpy +--------+---------+----------------+----+------------------------------------+ i d UeNm srae Atiue trbt Vle au O p +--------+---------+----------------+----+------------------------------------+ 1 bre any Fae-PAdes 1234 rmdI-drs ... : = 2 darue ilotr Fae-PAdes 2341 rmdI-drs ... : = 3 darue ilotr Fae-PNtak 25252525 rmdI-ems 5.5.5.5 : = 4 darue ilotr Fae-otn rmdRuig BodatLse racs-itn : = 5 darue ilotr Fae-ot rmdRue 234025252528 ... 5.5.5.4 : = 6 darue ilotr Il-ieu deTmot 90 0 : = +--------+---------+----------------+----+------------------------------------+ 6rw i st(.1sc os n e 00 e) msl slc *fo rdrurpy yq> eet rm agopel; +------------------+----------+----+-----+------------------------+ i d Gopae Atiue ruNm trbt Vle au O p +------------------+----------+----+-----+------------------------+ 3 4 dnmc yai Fae-opeso rmdCmrsin VnJcbe-C-P : a-aosnTPI = 3 3 dnmc yai Fae-rtcl rmdPooo PP P : = 3 2 dnmc yai SrieTp evc-ye Fae-sr rmdUe : = 3 5 dnmc yai Fae-T rmdMU 10 50 : = 3 7 sai ttc Fae-rtcl rmdPooo PP P : = 3 8 sai ttc SrieTp evc-ye Fae-sr rmdUe : = 3 9 sai ttc Fae-opeso rmdCmrsin VnJcbe-C-P : a-aosnTPI = 4 1 ntil eda SrieTp evc-ye Fae-sr rmdUe : = 4 2 ntil eda Fae-rtcl rmdPooo PP P : = +------------------+----------+----+-----+------------------------+ 1 rw i st(.1sc 2 os n e 00 e) msl yq>

FreeRadius and M SQL HowTo Notes

In hi e ample, 'ba ne ' ( ho i a ingle e dial p) onl need an a ib e fo IP add e in ad epl o he ge hi a ic IP - he doe no need an o he a ib e he e a all he o he ge picked p f om he ' a ic' g o p en ie in adg o p epl . 'f ed' need no en ie in ad epl a he i d namicall a he 'd namic' g o p en ie f om adg o p epl ONLY. 'dial o e ' i a dial- p o e , o a ell a needing a (e c) o be e ned. Hence he addi ional en ie . igned an IP a ic IP i need ia he NAS o o he'll j ib ge e o

e and ma k a

'dial o e ' al o ha an idle- imeo a ib e o he o e ge kicked if i ' no doing an hing co ld add hi fo o he e oo if o an ed o. Of co e, if o feel like o need o add an o he a ib e , ha ' kind of p o o !

No e he ope a o ('op') al e ed in he a io able . The pa o d check a ib e ho ld e ==. Mo e n a ib e ho ld ha e a := ope a o , al ho gh if o ' e e ning m l iple a ib e of he ame pe (e.g. m l iple Ci co- AVpai ' ) o ho ld e he += ope a o in ead o he i e onl he fi one ill be e ned. Read he doc fo mo e de ail on ope a o . If o 'e ipping all domain name elemen in he e name o f om p e name ia ealm , emembe NOT o incl de he ho ld ge ipped
7/9

www.frontios.com/freeradius.html

domain name elemen

in he M SQL able - he

05/12/2011

domain name elements in the usernames you put in the MySQL tables - they should get stripped BEFORE the database is checked, so name@domain will NEVER match if you're realm stripping (assuming you follow point 2 above) you should just have 'name' as a user in the database. Once it's working without, and if you want more complex realm handling, go back to work out not stripping (and keeping name@domain in the db) if you really want to. A h-T pe No e, Feb 2003: A he ime of i ing (i.e. p o and incl ding F eeRadi 0.8.1), F eeRadi ill defa l o an A h-T pe of 'local' if one i no fo nd. Thi mean ha o do no need o incl de hi (i.e. he adg o pcheck able abo e co ld ac all be emp , and indeed i on m o n bo ), b o p obabl ho ld incl de i fo cla i and fo f e-p oofing in ca e F eeRadi change . Plea e no e ha a p e io e ion of hi page indica ed ha A h-T pe ho ld be incl ded in he ad(g o p) epl able . I appea ha hi i inco ec and ha A h-T pe ho ld be in he ad(g o p)check able . O he han A h-T pe, fo imple e p , o p obabl need no hing in adg o pcheck - nle o an e dialing ce ain na 'e , e c e c.

FreeRadius and M SQL HowTo Notes

Using FreeRadius and M SQL Fire up radiusd again in debug mode. The debug output should show it connecting to the MySQL database. Use radtest (or NTradPing) to test again - the user should authenticate and the debug output should show FreeRadius talking to MySQL. You're done!

Additional Snippets: To use encrypted passwords in radcheck use the attribute 'Crypt-Password', instead of 'Password', and just put the encrypted password in the value field. ( i.e. UNIX crypt'd password). To get NTradPing to send test accounting (e.g. stop) packets it needs arguments, namely acctsession-time. Put something like 'Acct-Session-Time=99999' into the 'Additional RADIUS Attributes' box when sending stops. Thanks to JL for the tip. If you have a Cisco nas, set the cisco-vsa-hack Running a backup FreeRadius server and need to replicate the RADIUS database to it? I followed Colin Bloch's basic instructions at http://www.ls-l.net/mysql/ and got replication setup between two MySQL servers. Real easy. Read the MySQL docs on replication for more details. Note that MySQL replication is one-way-only. On the subject of backup servers. If you want to run TWO MySQL servers and have FreeRadius fall over between them, you'll need to do something like this: duplicate your sql.conf and edit the second copy to reflect connecting to your backup server ; then name the files something like sql1.conf and sql2.conf ; in radiusd.conf change and duplicate the include line for sql.conf to include sql1.conf and sql2.conf instead ; in the 'authorize' section of radiusd.conf change the 'sql' entry to a 'group' one, like this: gop ru sl q1 fi =1 al nton =rtr ofud eun no =2 op o =rtr k eun udtd=3 pae rjc =rtr eet eun
www.frontios.com/freeradius.html

uelc =4 srok

8/9

05/12/2011

uelc =4 srok ivld=5 nai hnld=6 ade sl { q2 fi =1 al nton =rtr ofud eun no =2 op o =rtr k eun udtd=3 pae rjc =rtr eet eun uelc =4 srok ivld=5 nai hnld=6 ade

FreeRadius and M SQL HowTo Notes

Note that if FreeRadius fails over to the second M SQL server and tries to update the accounting table (radacct), nast things might possibl happen to our replication setup and database integrit as the first M SQL server won't have got the updates... -- end--

www.frontios.com/freeradius.html

9/9