Setting Up FreeRADIUS with PAP & PostgreSQL (Development Environment)

This guide outlines the steps to configure a FreeRADIUS development environment using Docker, enabling PAP authentication against a PostgreSQL database.

Initial Host Machine Setup

Perform these steps in your project directory (e.g., freeradius-pg-docker).

1. Save Core Files:

Save the content for Dockerfile, docker-compose.yml, and init-db.sh into files with those exact names.

2. Make Script Executable:

Run the following command:

chmod +x init-db.sh

3. Download Database Schema:

Get the PostgreSQL schema file:

curl -o schema.sql https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/v3.2.x/raddb/mods-config/sql/main/postgresql/schema.sql

4. Set Secure Password:

IMPORTANT: Edit docker-compose.yml and replace BOTH instances of your_secure_password with a strong, unique password.

5. Create Host Directories:

mkdir ./raddb ./logs

6. Populate ./raddb with Default Config:

Copy the default FreeRADIUS configuration from the image to your host's ./raddb directory. You typically do this once.

# Build a temporary image first (if not already built)
docker build -t temp-freeradius-config .

# Copy config out from the temporary container
docker run --rm --entrypoint /bin/sh temp-freeradius-config -c "tar cf - -C /etc raddb" | tar xf - -C .

# Optionally remove the temporary image
# docker rmi temp-freeradius-config

Ensure the ./raddb directory exists and is populated before proceeding.

Configure FreeRADIUS (in `./raddb`)

Edit the configuration files within your host's ./raddb directory. Changes made here will be reflected inside the container due to the volume mount specified in docker-compose.yml.

1. Configure SQL Module (./raddb/mods-available/sql):

Set driver = "rlm_sql_postgresql".
Set dialect = "postgresql".

In the postgresql { ... } section, configure the connection using environment variables passed from docker-compose.yml:

server = "%{env:DB_HOST}"
port = "%{env:DB_PORT}"
login = "%{env:DB_USER}"
password = "%{env:DB_PASSWORD}"
radius_db = "%{env:DB_NAME}"

Review/adjust connection pool settings (pool {}) if needed for performance. You might also adjust SQL queries later if necessary.

2. Enable SQL Module (./raddb/mods-enabled/sql):

Ensure a symbolic link exists from ./raddb/mods-enabled/sql to ../mods-available/sql. Create it if it doesn't exist (ensure you are in the project root):

# Ensure you are in the project root directory (freeradius-pg-docker)
ln -s ../mods-available/sql ./raddb/mods-enabled/sql

3. Configure Site Processing (./raddb/sites-enabled/default):

This file controls the main request flow. Modify the sections to integrate SQL and PAP.

authorize {} section:

Add sql (usually near the top) to fetch user details/checks from the database.
You might keep files as a fallback.
Keep pap if you need authorize checks based on Auth-Type PAP.

authorize {
    # ... other initial checks ...
    sql # Check SQL first
    # files # Optional: Check files module if not found in SQL
    pap # Keep pap here if needed for Auth-Type PAP checks
    # ... other modules ...
}

authenticate {} section:
- Ensure the Auth-Type PAP { pap } block exists to handle PAP authentication.
- The pap module itself (configured in mods-available/pap) determines if passwords are checked against the users file (default) or potentially SQL (requires additional configuration like Password-With-Header and SQL query adjustments).
- You might add sql here too if specific SQL checks are needed during authentication.
accounting {} section:
- Add sql to log accounting records to the database.
- Remove or comment out file-based logging (detail, radacct) if you only want SQL accounting.
session {} and post-auth {} sections:
- Review and add sql if needed for your logic (e.g., updating tables after successful authentication).

4. Define RADIUS Clients (./raddb/clients.conf):

Add entries for each RADIUS client (NAS, switch, AP, VPN, testing tools) that will send requests.
Specify the client's IP address and the shared secret.
Crucially, include an entry for 127.0.0.1 if testing with radtest from the host/container (e.g., use secret testing123).

client localhost {
    ipaddr = 127.0.0.1
    secret = testing123 # Use the same secret in radtest
}

# Add other clients as needed
# client my_access_point {
#   ipaddr = 192.168.1.100
#   secret = your_ap_secret
# }

5. Configure PAP Users File (./raddb/users):

Add any users who will authenticate via PAP using this file, defining their Cleartext-Password.
You can also define attributes here.

papuser Cleartext-Password := "pappassword"
        Reply-Message = "Hello from users file, %u"

This file can serve as a fallback or for specific user overrides even when using SQL.

Key Configuration Files Overview (in `./raddb`)

This section lists the primary files within your host's ./raddb directory that you'll typically interact with when configuring PAP and SQL (PostgreSQL) authentication:

`./raddb/mods-available/sql`

Purpose: Configures the core SQL module (rlm_sql).

Edits:

Ensure driver is set to "rlm_sql_postgresql".
Ensure dialect is set to "postgresql".
Critically, configure the postgresql {...} subsection with the correct connection details using environment variables (%{env:VAR_NAME}) from docker-compose.yml (e.g., server = "%{env:DB_HOST}", password = "%{env:DB_PASSWORD}").
You might adjust SQL queries here later if needed.

`./raddb/mods-enabled/sql` (Symlink)

Purpose: Enables the SQL module configured in mods-available/sql.

Action: This isn't a file you edit directly, but you must ensure it exists as a symbolic link pointing to ../mods-available/sql. You likely created this in the initial setup steps (ln -s ../mods-available/sql ./raddb/mods-enabled/sql).

`./raddb/sites-enabled/default` (and potentially `inner-tunnel`)

Purpose: Defines the request processing workflow (virtual server).

Edits: This is where you tell FreeRADIUS when and how to use the PAP and SQL modules within the different processing sections (authorize, authenticate, accounting, post-auth, session) as detailed in Step 3 of the configuration process above. You'll typically uncomment the sql entries or add them in the desired order relative to other modules like files, pap, chap, etc.

authorize {}: Add sql to fetch user details/perform checks from the database.
authenticate {}: Ensure Auth-Type PAP { pap } exists. The pap module itself (mods-available/pap) handles the check (vs users file or potentially SQL). You might add sql here too for other checks.
accounting {}: Add sql to log records to PostgreSQL.
session {}, post-auth {}: Add sql if needed for actions during these phases.

`./raddb/users`

Purpose: The default plain-text file for defining users, passwords (for PAP/CHAP if not using SQL for passwords), and attributes.

Edits:

Add users here who authenticate only via PAP using this file.
Define default attributes or group memberships here that might apply even to users authenticated via SQL.

`./raddb/clients.conf`

Purpose: Defines which RADIUS clients (NAS devices, switches, APs, VPN concentrators, test tools) are allowed to send requests and the shared secret for communication.

Edits: You absolutely need to edit this file to add the IP address and shared secret for any device sending requests, including localhost (IP 127.0.0.1) for testing with radtest.

Running and Testing

1. Start Services:

docker-compose up -d

2. Check Logs:

Monitor logs for errors or status messages:

docker-compose logs -f postgres freeradius

3. Add Test Users:

Add user to PostgreSQL database (for SQL auth testing):

docker-compose exec postgres psql -U radius -d radius -c "INSERT INTO radcheck (username, attribute, op, value) VALUES ('sqluser', 'Cleartext-Password', ':=', 'sqlpassword');"

Add user to ./raddb/users file (for PAP file auth testing):
Add the user entry (like the example provided earlier) to ./raddb/users on your host machine.

Remember to restart FreeRADIUS after editing ./raddb/users:
```
docker-compose restart freeradius
```

4. Test Authentication with radtest:

Test SQL user:

radtest sqluser sqlpassword localhost 0 testing123

Test PAP user from 'users' file:

radtest papuser pappassword localhost 0 testing123

Development Workflow Summary

This Docker volume mount setup facilitates rapid development:

Ensure ./raddb exists on your host and contains the FreeRADIUS configuration files.
Edit configuration files directly within your host's ./raddb directory using your preferred text editor.
Changes saved on your host are immediately visible inside the container at /etc/raddb.
For FreeRADIUS to load the modified configuration, restart the service:
```
docker-compose restart freeradius
```
(Alternatively: docker-compose stop freeradius && docker-compose up -d freeradius)

Remember to restart the freeradius service after saving changes to configuration files on your host for them to take effect. Carefully adapt the configurations to match your specific requirements.

Setting Up FreeRADIUS with PAP & PostgreSQL (Development Environment)

Initial Host Machine Setup

Configure FreeRADIUS (in ./raddb)

Key Configuration Files Overview (in ./raddb)

./raddb/mods-available/sql

./raddb/mods-enabled/sql (Symlink)

./raddb/sites-enabled/default (and potentially inner-tunnel)

./raddb/users

./raddb/clients.conf