Skip to main content

Radius Server Configuration In PostgreSQL


Hi All,

After some time spent on PostgreSQL Radius Configuration, I came up with the following steps to configure PostgreSQL with Radius authentication Configuration. Please correct me, if any where i'm wrong. 

Step 1
=====
We have Downloaded radius server from below link and installed it in local machine.

http://freeradius.org/download.html

Step2
=====
radiusd.conf
------------------
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 1999 
}
listen {
ipaddr = *
port = 1998 
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no

}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200

reject_delay = 1

status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {

$INCLUDE ${confdir}/modules/

$INCLUDE eap.conf
}
instantiate {
exec

expr

expiration
logintime

}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

Step 3
=====
clients.conf
-----------------
client 127.0.0.1/32 {
ipaddr = 127.0.0.1
netmask = 32
secret = backdoor 
require_message_authenticator = no
shortname = localhost
}

Step 4
=====
users
--------
postgres Cleartext-Password := "postgres"
Service-Type = Framed-User,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Reply-Message = "Hello, %{User-Name} Welcome .. Your Radius Network Authentication is Working"

test    Cleartext-Password := "test"
        Service-Type = Framed-User,
        Framed-IP-Address = 172.0.0.1,
        Framed-IP-Netmask = 255.0.0.0,
        Reply-Message =  "Hello, %{User-Name} Welcome .. Your Radius Network Authentication is Working"

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Step 5
======
pam_radius.conf
------------------------
# server[:port] shared_secret      timeout (s)
127.0.0.1:1999 backdoor           1


Step 6
======
Start the radius Sever
-----------------------------
radiusd -X


Step 7
=====
Testing Rad server 
--------------------------
[root@localhost PGBAR]# radtest postgres postgres 127.0.0.1:1999 0 backdoor
Sending Access-Request of id 56 to 127.0.0.1 port 1999
       User-Name = "postgres"
       User-Password = "postgres"
       NAS-IP-Address = 127.0.0.1
       NAS-Port = 0
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1999, id=56, length=112
       Service-Type = Framed-User
       Framed-IP-Address = 127.0.0.1
       Framed-IP-Netmask = 255.255.255.0
       Reply-Message = "Hello, postgres Welcome .. Your Radius Network Authentication is Working"

Step 8
======
pg_hba.conf
-----------------
local        all               all                                    radius  radiusserver=127.0.0.1   radiussecret=backdoor radiusport=1999 
# IPv4 local connections:
host        all                all                127.0.0.1/32        radius  radiusserver=127.0.0.1   radiussecret=backdoor radiusport=1999       
host        all                all                0.0.0.0/0           radius  radiusserver=127.0.0.1   radiussecret=backdoor radiusport=1999   

pg_reload_conf();

Step 9
======
Testing PostgreSQL Radius Authentication 
-----------------------------------------------------------

[root@localhost bin]# ./psql -h 172.24.35.118 -U postgres -p 5432 postgres
Password for user postgres:
psql (8.4.7.20, server 9.0.8)
WARNING: psql version 8.4, server version 9.0.
        Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=#


Step 10
======
Testing radius configuration log file.

rad_recv: Access-Request packet from host 127.0.0.1 port 9865, id=122, length=66
       Service-Type = Authenticate-Only
       User-Name = "postgres"
       NAS-Identifier = "postgresql"
       User-Password = "postgres"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "postgres", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry postgres at line 86
[files]         expand: Hello, %{User-Name} Welcome .. Your Radius Network Authentication is Working -> Hello, postgres Welcome .. Your Radius Network Authentication is Working
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "postgres"
[pap] Using clear text password "postgres"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 122 to 127.0.0.1 port 9865
       Service-Type = Framed-User
       Framed-IP-Address = 127.0.0.1
       Framed-IP-Netmask = 255.255.255.0
       Reply-Message = "Hello, postgres Welcome .. Your Radius Network Authentication is Working"
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.


--Dinesh

Comments

Popular posts from this blog

pgBucket - A new concurrent job scheduler

Hi All,

I'm so excited to announce about my first contribution tool for postgresql. I have been working with PostgreSQL from 2011 and I'm really impressed with such a nice database.

I started few projects in last 2 years like pgHawk[A beautiful report generator for Openwatch] , pgOwlt [CUI monitoring. It is still under development, incase you are interested to see what it is, attaching the image here for you ],


pgBucket [Which I'm gonna talk about] and learned a lot and lot about PostgreSQL/Linux internals.

Using pgBucket we can schedule jobs easily and we can also maintain them using it's CLI options. We can update/insert/delete jobs at online. And here is its architecture which gives you a basic idea about how it works.


Yeah, I know there are other good job schedulers available for PostgreSQL. I haven't tested them and not comparing them with this, as I implemented it in my way.
Features are: OS/DB jobsCron style sytaxOnline job modificationsRequired cli options

Pgpool Configuration & Failback

I would like to share the pgpool configuration, and it's failback mechanism in this post.

Hope it will be helpful to you in creating pgpool and it's failback setup.

Pgpool Installation & Configuration

1. Download the pgpool from below link(Latest version is 3.2.1).
    http://www.pgpool.net/mediawiki/index.php/Downloads


2. Untart the pgpool-II-3.2.1.tar.gz and goto pgpool-II-3.2.1 directory.

3. Install the pgpool by executing the below commands:

./configure ­­prefix=/opt/PostgreSQL92/ ­­--with­-pgsql­-includedir=/opt/PostgreSQL92/include/ --with­-pgsql­-libdir=/opt/PostgreSQL92/lib/ make make install 4. You can see the pgpool files in /opt/PostgreSQL92/bin location.
/opt/PostgreSQL92/bin $ ls clusterdb   droplang  pcp_attach_node  pcp_proc_count pcp_systemdb_info  pg_controldata  pgpool pg_test_fsync pltcl_loadmod  reindexdb createdb    dropuser  pcp_detach_node  pcp_proc_info createlang  ecpg      pcp_node_count   pcp_promote_node oid2name  pcp_pool_status  pcp_stop_pgpool  …

N-Node Mutlimaster Replication With Bucardo...!

Our team recently got  a problem, which is to solve the N-Node multi master replication in PostgreSQL.

We all know that, there are some other db engines like Postgres-XC which works in this way. But, we don't have any tool available in PostgreSQL, except Bucardo.

Bucardo is the nice solution for 2-Nodes. Is there a way we can exceed this limitation from 2 to N..?

As an initial step on this, I have done with 3 Nodes, which I believe, we can extend this upto N. { I might be wrong here.}

Please follow the below steps to set up the 1 - 1 multi master replication.

1. Follow the below steps to get all the pre-requisites for the Bucardo.

yum install perl-DBIx-Safe or apt-get install libdbix-safe-perl Install the below components from CPAN. DBI DBD::Pg Test::Simple boolean (Bucardo 5.0 and higher) Download the latest tarball from here. tar xvfz Bucardo-4.4.8.tar.gz cd Bucardo-4.4.8 perl Makefile.PL make sudo make install 2. We need to create plperl extension in db. For this, download…