Storing FreeRADIUS authorization information in databases that support ODBC

Contents

• Introduction
• Using a database that supports ODBC as a FreeRADIUS server back end

Introduction

Easysoft ODBC drivers enable FreeRADIUS to use information stored in ODBC databases to authenticate users. Use FreeRADIUS with our Sybase, Oracle, SQL Server, DB2, and InterBase drivers to access authorization information stored in those databases. Use the Easysoft ODBC-ODBC Bridge to access any other database for which you cannot obtain an ODBC driver on your FreeRADIUS platform.

To access authorization data stored in JDBC databases, use the Easysoft ODBC-JDBC Gateway.

This tutorial shows how to configure the RADIUS (Remote Authentication Dial-In User Service) Server for use with unixODBC and an Easysoft ODBC driver. Although the examples in the tutorial are for the Easysoft Sybase ODBC driver, the process is the same for any other Easysoft ODBC driver installed under the unixODBC Driver Manager.

Using a database that supports ODBC as a FreeRADIUS server back end

1. Create an Easysoft ODBC driver data source in /etc/odbc.ini.

   This is an example data source for the Easysoft Sybase ODBC driver:

   [easysoft_dsn]
   Driver = SYBASE
   Database = sybasedb
   User = dbuser
   Password = dbpass
   Server_Host = dbserver
   Server_Port = 4100
   

   For more information about adding data sources, refer to the documentation for your Easysoft ODBC driver.

2. Use isql to test the new data source. For example:

   cd /usr/local/easysoft/unixODBC/bin
   ./isql -v easysoft_dsn

   At the prompt, enter help to display a list of tables. To exit, press Return in an empty prompt line.

3. Download the FreeRADIUS distribution from the FreeRadius web site.

   We tested Easysoft ODBC drivers with FreeRADIUS 1.1.2.

4. Configure and build FreeRADIUS:

   ./configure --with-unixodbc-dir=/usr/local/easysoft/unixODBC
   make

5. As root, install FreeRADIUS:

   make install

6. To test FreeRADIUS, start the radius server in debug mode:

   /usr/local/sbin/radiusd -X

   If the server outputs "Ready to process requests.", it is running properly. If you do not get this message or you get error messages, refer to the FreeRADIUS FAQ.

   From another session, test that the server is listening:

   radtest myuser mypassword localhost 1 testing123

   Replace myuser and mypassword with a valid UNIX user name and password. The testing123 is the default secret in the FreeRADIUS installation configuration file. If you have changed this, replace testing123 with the new secret key.

   You should get a response similar to:

   Sending Access-Request of id 41 to 127.0.0.1 port 1812
   User-Name = "myuser"
   User-Password = "mypassword"
   NAS-IP-Address = 255.255.255.255
   NAS-Port = 1
   rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=41,
    length=20

7. Configure the unixODBC interface. To do this, create a file named unixodbc.conf. Base the new file on mssql.conf:

   cd /usr/local/etc/RADDB
   cp mssql.conf unixodbc.conf

   If you changed the default config file directory when you configured FreeRADIUS, replace /usr/local/etc/RADDB with your config directory path.

   Edit the following settings in unixodbc.conf:

   Settings	Notes
   driver = "rlm_sql_unixodbc" server = "easysoft_dsn"	Replace easysoft_dsn with the name of your Easysoft ODBC driver data source.
   login = "dbuser" password = "dbpass"	Replace dbuser and dbpass with the database user name and password.
   radius_db = "radius"	The database to use for all the radius tables.

   The rest of the configuration file defines what tables are used for the various radius activities and logging.

8. Edit radiusd.conf to instruct radiusd to use the sql module. Open radiusd.conf in a text editor and search for a line that contains:

   $INCLUDE  ${confdir}/sql.conf

   Replace this line with:

   $INCLUDE  ${confdir}/unixodbc.conf

   Then search for the text:

   #
   # Look in an SQL database. The schema of the database
   # is meant to mirror the "users" file.
   #
   # See "Authorization Queries" in sql.conf
   # sql

   Uncomment out the sql entry:

   #
   #  Look in an SQL database.  The schema of the database
   #  is meant to mirror the "users" file.
   #
   #  See "Authorization Queries" in sql.conf
   sql

9. Use the following SQL to create the required tables in the database. The examples are for Sybase, but can be easily configured for other databases. There are example CREATE statements in the FreeRADIUS doc directory. Note that if you use isql to create the tables, each statement should be joined into a single line.

   CREATE TABLE radacct (
       RadAcctId NUMERIC(21,0) IDENTITY NOT NULL PRIMARY KEY,
       AcctSessionId VARCHAR(32) DEFAULT( '' ) NOT NULL,
       AcctUniqueId VARCHAR(32) DEFAULT( '' ) NOT NULL,
       UserName VARCHAR(64) DEFAULT( '' ) NOT NULL,
       Realm VARCHAR(64) DEFAULT( '' ) NULL,
       NASIPAddress VARCHAR(15) DEFAULT( '' ) NOT NULL,
       NASPortId VARCHAR(15) DEFAULT( '' ) NULL,
       NASPortType VARCHAR(32) DEFAULT( '' ) NULL,
       AcctStartTime DATETIME DEFAULT( '1900-01-01 00:00:00' ) NOT NULL,
       AcctStopTime DATETIME DEFAULT( '1900-01-01 00:00:00' ) NOT NULL,
       AcctSessionTime INT DEFAULT (NULL) NULL,
       AcctAuthentic VARCHAR(32) DEFAULT (NULL) NULL,
       ConnectInfo_start VARCHAR(32) DEFAULT (NULL) NULL,
       ConnectInfo_stop VARCHAR(32) DEFAULT (NULL) NULL,
       AcctInputOctets INT DEFAULT (NULL) NULL,
       AcctOutputOctets INT DEFAULT (NULL) NULL,
       CalledStationId VARCHAR(30) DEFAULT( '' ) NOT NULL,
       CallingStationId VARCHAR(30) DEFAULT( '' ) NOT NULL,
       AcctTerminateCause VARCHAR(32) DEFAULT( '' ) NOT NULL,
       ServiceType VARCHAR(32) DEFAULT (NULL) NULL,
       FramedProtocol VARCHAR(32) DEFAULT (NULL) NULL,
       FramedIPAddress VARCHAR(15) DEFAULT( '' ) NOT NULL,
       AcctStartDelay INT DEFAULT (NULL) NULL,
       AcctStopDelay INT DEFAULT (NULL) NULL
       )
   
   CREATE TABLE radcheck (
       id NUMERIC(21,0) IDENTITY NOT NULL PRIMARY KEY,
       UserName VARCHAR(64) DEFAULT ('') NOT NULL,
       Attribute VARCHAR(32) DEFAULT ('') NOT NULL,
       Value VARCHAR(253) DEFAULT ('') NOT NULL,
       op CHAR(2) DEFAULT (NULL) NULL
       )
   
   CREATE TABLE radgroupcheck (
       id NUMERIC(21,0) IDENTITY NOT NULL PRIMARY KEY,
       GroupName VARCHAR(64) DEFAULT ('') NOT NULL,
       Attribute VARCHAR(32) DEFAULT ('') NOT NULL,
       Value VARCHAR(253) DEFAULT ('') NOT NULL,
       op CHAR(2) DEFAULT (NULL) NULL
       )
   
   CREATE TABLE radgroupreply (
       id NUMERIC(21,0) IDENTITY NOT NULL PRIMARY KEY,
       GroupName VARCHAR(64) DEFAULT ('') NOT NULL,
       Attribute VARCHAR(32) DEFAULT ('') NOT NULL,
       Value VARCHAR(253) DEFAULT ('') NOT NULL,
       op CHAR(2) DEFAULT (NULL) NULL,
       prio INT DEFAULT (0) NOT NULL
       )
   
   CREATE TABLE radreply (
       id NUMERIC(21,0) IDENTITY NOT NULL PRIMARY KEY,
       UserName VARCHAR(64) DEFAULT ('') NOT NULL,
       Attribute VARCHAR(32) DEFAULT ('') NOT NULL,
       Value VARCHAR(253) DEFAULT ('') NOT NULL,
       op CHAR(2) DEFAULT (NULL) NULL
       )
   
   CREATE TABLE usergroup (
       id NUMERIC(21,0) IDENTITY NOT NULL PRIMARY KEY,
       UserName VARCHAR(64) DEFAULT ('') NOT NULL,
       GroupName VARCHAR(64) DEFAULT ('') NULL
       )
   

   Note By default, Sybase column names are case sensitive. Some of the default queries in the unixodbc.conf file will therefore need to be edited. Find the string Username and replace with UserName. For example:

   authorize_check_query = "SELECT id,UserName,Attribute,Value,op FROM ${authcheck_table} WHERE Username = '%{SQL-User-Name}' ORDER BY id"

10. Restart the radius server, again using debugging output:

    /usr/local/sbin/radiusd -X

    The server connects to the database, and you'll get lines containing:

    rlm_sql (sql): Attempting to connect rlm_sql_unixodbc #0
    rlm_sql (sql): Connected new DB handle, #0
    rlm_sql (sql): starting 1

11. Create some example data to test the configuration.

    As it's configured now, the previous test will still work as the server will first test by using the database, and then test by using the local UNIX authentication. So to test the database authentication, it's necessary to insert some data.

    The following example will allow us to authenticate the user easyuser with a password of easypass. That user will be created in the group easy.

    First, create the group:

    INSERT INTO
        radgroupcheck ( GroupName, Attribute, Value, op )
    VALUES ( 'easy', 'Auth-Type', 'Local', ':=' )

    then the check entry:

    INSERT INTO
        radcheck( UserName, Attribute, Value, op )
    VALUES( 'easyuser', 'password', 'easypass', '==' )

    then the usergroup table:

    INSERT INTO
        usergroup( UserName, GroupName )
    VALUES( 'easyuser', 'easy' )

12. Test the configuration again:

    radtest easyuser easypass localhost 1 testing123

    The reply should be similar to this:

    Sending Access-Request of id 226 to 127.0.0.1 port 1812
    User-Name = "easyuser"
    User-Password = "easypass"
    NAS-IP-Address = 255.255.255.255
    NAS-Port = 1
    rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=226,
     length=20

• About Easysoft

• Contact us
• About us
• Clients
• Blog
• Careers

• Products

• ODBC drivers
• JDBC drivers
• Bridges and gateways
• In development

• Services

• Consultancy
• Training
• Custom development

• Licensing

• Product licenses
• Prices

• Support

• Support home
• Solution wizard
• Getting Started Guides
• User Guides
• Knowledge Base

• Search

• Easysoft.com
• Documentation
• Knowledge Base

• Popular Resources

• Developer area
• Client applications

• Legal

• Privacy statement

© 1993 - 2024 Easysoft Limited. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other trademarks and registered trademarks appearing on easysoft.com are the property of their respective owners.

• 
• 
•