Skip to main content

Radius Server Configuration In PostgreSQL


Hi All,

After some time spent on PostgreSQL Radius Configuration, I came up with the following steps to configure PostgreSQL with Radius authentication Configuration. Please correct me, if any where i'm wrong. 

Step 1
=====
We have Downloaded radius server from below link and installed it in local machine.

http://freeradius.org/download.html

Step2
=====
radiusd.conf
------------------
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/${name}.pid
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
listen {
type = auth
ipaddr = *
port = 1999 
}
listen {
ipaddr = *
port = 1998 
type = acct
}
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log {
destination = files
file = ${logdir}/radius.log
syslog_facility = daemon
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no

}
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200

reject_delay = 1

status_server = yes
}
proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {

$INCLUDE ${confdir}/modules/

$INCLUDE eap.conf
}
instantiate {
exec

expr

expiration
logintime

}
$INCLUDE policy.conf
$INCLUDE sites-enabled/

Step 3
=====
clients.conf
-----------------
client 127.0.0.1/32 {
ipaddr = 127.0.0.1
netmask = 32
secret = backdoor 
require_message_authenticator = no
shortname = localhost
}

Step 4
=====
users
--------
postgres Cleartext-Password := "postgres"
Service-Type = Framed-User,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Reply-Message = "Hello, %{User-Name} Welcome .. Your Radius Network Authentication is Working"

test    Cleartext-Password := "test"
        Service-Type = Framed-User,
        Framed-IP-Address = 172.0.0.1,
        Framed-IP-Netmask = 255.0.0.0,
        Reply-Message =  "Hello, %{User-Name} Welcome .. Your Radius Network Authentication is Working"

DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
Step 5
======
pam_radius.conf
------------------------
# server[:port] shared_secret      timeout (s)
127.0.0.1:1999 backdoor           1


Step 6
======
Start the radius Sever
-----------------------------
radiusd -X


Step 7
=====
Testing Rad server 
--------------------------
[root@localhost PGBAR]# radtest postgres postgres 127.0.0.1:1999 0 backdoor
Sending Access-Request of id 56 to 127.0.0.1 port 1999
       User-Name = "postgres"
       User-Password = "postgres"
       NAS-IP-Address = 127.0.0.1
       NAS-Port = 0
       Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1999, id=56, length=112
       Service-Type = Framed-User
       Framed-IP-Address = 127.0.0.1
       Framed-IP-Netmask = 255.255.255.0
       Reply-Message = "Hello, postgres Welcome .. Your Radius Network Authentication is Working"

Step 8
======
pg_hba.conf
-----------------
local        all               all                                    radius  radiusserver=127.0.0.1   radiussecret=backdoor radiusport=1999 
# IPv4 local connections:
host        all                all                127.0.0.1/32        radius  radiusserver=127.0.0.1   radiussecret=backdoor radiusport=1999       
host        all                all                0.0.0.0/0           radius  radiusserver=127.0.0.1   radiussecret=backdoor radiusport=1999   

pg_reload_conf();

Step 9
======
Testing PostgreSQL Radius Authentication 
-----------------------------------------------------------

[root@localhost bin]# ./psql -h 172.24.35.118 -U postgres -p 5432 postgres
Password for user postgres:
psql (8.4.7.20, server 9.0.8)
WARNING: psql version 8.4, server version 9.0.
        Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=#


Step 10
======
Testing radius configuration log file.

rad_recv: Access-Request packet from host 127.0.0.1 port 9865, id=122, length=66
       Service-Type = Authenticate-Only
       User-Name = "postgres"
       NAS-Identifier = "postgresql"
       User-Password = "postgres"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "postgres", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry postgres at line 86
[files]         expand: Hello, %{User-Name} Welcome .. Your Radius Network Authentication is Working -> Hello, postgres Welcome .. Your Radius Network Authentication is Working
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "postgres"
[pap] Using clear text password "postgres"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 122 to 127.0.0.1 port 9865
       Service-Type = Framed-User
       Framed-IP-Address = 127.0.0.1
       Framed-IP-Netmask = 255.255.255.0
       Reply-Message = "Hello, postgres Welcome .. Your Radius Network Authentication is Working"
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.


--Dinesh

Comments

Popular posts from this blog

Pgpool Configuration & Failback

I would like to share the pgpool configuration, and it's failback mechanism in this post.

Hope it will be helpful to you in creating pgpool and it's failback setup.

Pgpool Installation & Configuration

1. Download the pgpool from below link(Latest version is 3.2.1).
    http://www.pgpool.net/mediawiki/index.php/Downloads


2. Untart the pgpool-II-3.2.1.tar.gz and goto pgpool-II-3.2.1 directory.

3. Install the pgpool by executing the below commands:

./configure ­­prefix=/opt/PostgreSQL92/ ­­--with­-pgsql­-includedir=/opt/PostgreSQL92/include/ --with­-pgsql­-libdir=/opt/PostgreSQL92/lib/ make make install 4. You can see the pgpool files in /opt/PostgreSQL92/bin location.
/opt/PostgreSQL92/bin $ ls clusterdb   droplang  pcp_attach_node  pcp_proc_count pcp_systemdb_info  pg_controldata  pgpool pg_test_fsync pltcl_loadmod  reindexdb createdb    dropuser  pcp_detach_node  pcp_proc_info createlang  ecpg      pcp_node_count   pcp_promote_node oid2name  pcp_pool_status  pcp_stop_pgpool  …

pgBucket v1.0 is ready

pgBucket v1.0 pgBucket v1.0 (concurrent job scheduler for PostgreSQL) is released. This version is more stable and fixed the issues which was observed in the previous beta releases.
Highlights of this tool are Schedule OS/DB level jobsCron style syntax {Schedule up to seconds}On fly job modificationsInstant daemon status by retrieving live job queue, job hashEnough cli options to deal with all the configured/scheduled job Here is the URL for the pgBucket build/usage instructions. https://bitbucket.org/dineshopenscg/pgbucket
I hope this tool will be helpful for the PostgreSQL users to get things done in the scheduled time. Note: This tool requires c++11{gcc version >= 4.9.3} to compile.
--Dinesh

pgBucket - A new concurrent job scheduler

Hi All,

I'm so excited to announce about my first contribution tool for postgresql. I have been working with PostgreSQL from 2011 and I'm really impressed with such a nice database.

I started few projects in last 2 years like pgHawk[A beautiful report generator for Openwatch] , pgOwlt [CUI monitoring. It is still under development, incase you are interested to see what it is, attaching the image here for you ],


pgBucket [Which I'm gonna talk about] and learned a lot and lot about PostgreSQL/Linux internals.

Using pgBucket we can schedule jobs easily and we can also maintain them using it's CLI options. We can update/insert/delete jobs at online. And here is its architecture which gives you a basic idea about how it works.


Yeah, I know there are other good job schedulers available for PostgreSQL. I haven't tested them and not comparing them with this, as I implemented it in my way.
Features are: OS/DB jobsCron style sytaxOnline job modificationsRequired cli options