freeradius + MySQL

Posted on 2009-04-26
Last Modified: 2013-12-06
Hi! I have the two Debian packages, freeradius and freeradius-mysql installed.

The MySQL database is populated with some data for testing, and the freeradiusd.conf and sql.conf are configured.

The following test on localhost works:
~# radtest johndoe abc123 localhost 1812 testing123

The RADIUS server is able to connect with the MySQL database, and I can authenticate users from it. I also have a remote RADIUS client configured that is working with my captive portal and RADIUS server, however, it only works when I have the client's IP address configured in /etc/freeradius/clients.conf. It does not work using the MySQL 'nas' table.

In other words, freeradius does not seem to be querying my nas table from the MySQL database.

In my /etc/freeradius/sql.conf file I have following:

# Table to keep radius client info
nas_table = "nas"

# Set to 'yes' to read radius clients from the database ('nas' table)
readclients = yes

In my nas table I have following:

id       nasname       shortname       type       ports       secret       community       description
1       xx.xx.xx.xx       NULL       other       NULL       testing123       NULL       RADIUS Client

... where xx.xx.xx.xx is the correct IP address of my RADIUS client.

When I try to log in via the captive portal, with freeradius running in debug mode, I get the following:

rad_recv: Access-Request packet from host xx.xx.xx.xx:2326, id=126, length=341
Ignoring request from unknown client xx.xx.xx.xx:2326
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.

Any help would be greatly apprciated!
Question by:Julian Matz
    LVL 76

    Accepted Solution

    Put the IP in both the nasname and shortname to see whether a difference is seen.

    Start freeradius in debug mode to see what configuration settings it loads.

    I.e. does it load xx.xx.xx.xx as a client?
    LVL 21

    Author Comment

    by:Julian Matz
    Hi arnold,

    That seems to have done the trick! Is that the normal/expected behaviour though?

    Now that this seems to be working, do you know of an easy method to do this using dynamic client IPs?

    If not, I'd probably have to write a bash script to update the IPs on my DNS servers periodically using cron...
    LVL 76

    Assisted Solution

    I'm not sure whether the shortname or the nasname is the one that is read in as the IP.
    The client list is only read in during startup of freeradius. If you have dynamic IPs, the restart of freeradius forced it to read in the client list such that the changes to shortname might not be what fixed it.  I.e. if you remove the entry for shortname and restart freeradius does it still work or it again reports the NAS as not a valid client?  This will answer whether the IP needs to be in the nasname or shortname column.
    Why would you have dynamic IPs for the NAS?
    You could setup static IP assignment in DHCP for the NAS.
    LVL 21

    Author Comment

    by:Julian Matz
    The client (a Linksys WRT54GL) will have a static private IP - e.g. It will use an Internet connection from another gateway at, which in turn is connected to a DSL modem. The DSL provider that's providing the WAN connection is assigns dynamic public IPs. It's the public IP that gets sent to the RADIUS server and that's why I need to figure out how to use RADIUS authentication with dynamic IPs. There will be lots of WRT54GL routers in different remote locations, and they will all have dynamic IPs assigned to them by the ISP. Basically, this is for a hotspot service.
    LVL 76

    Assisted Solution

    In this case you have two options, one setup freeradius to treat any incoming packet as a valid client.
    I.e. setup the nasname as meaning all possible IPs are acceptable as clients.

    Alternatively, get the possible segments for each location and set each up:
    Then setup a process that monitors the log file for not client reports and add those into mysql's nas table.
    reload/restart radiusd if a change was seen. ( not sure whether the reload forces the refresh of the valid clients.)

    Any reason why the wrt54GL is not the first one?  Putting it first will protect the LAN behind the currently primary router from hotspot connected devices/systems.
    LVL 21

    Author Comment

    by:Julian Matz
    I decided to use a local cron job and a remote PHP script to periodically update the dynamic IP address with my nameservers. This way I was able to use a hostname instead of an IP.

    Apparently the FQDN goes into nasname ( e.g. ), and the shortname would then be "". Not really sure why it's set up like that, but it seems to work.

    Thanks for the help!

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension ( This reminded me of questions tha…
    Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
    This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now