FreeRADIUS 3.0.22 has a bug.
-
Unfortunately, there is a major issue FreeRADIUS 3.0.22, which is the version provided by the latest version of pfSense. (For those of you who might be wondering what sort of bug: In a nutshell, it does not load NASes from the "nas" table in the database, you will have to provide them in a text file.) The developers have long taken care of the bug and in the new version, ie FreeRADIUS 3.0.23. The package has already been updated in the FreeBSD repository but I wonder when I can expect the same to happen with pfSense.
Also, where is the Quagga packet?
-
Hmm, if it didn't load any NAS entries then I would expect it to be completely non-functional and I haven't seen any reports of that. Nor have I seen it on any test instances I have. Though I'm mostly testing 2.6/22.01 at this point and that is already using
freeradius3-3.0.23_1.
Is that what you're seeing? You can just upgrade if you need it now.There is no Quagga package any longer. All dynamic routing is now using FRR.
Steve
-
@stephenw10 said in FreeRADIUS 3.0.22 has a bug.:
Hmm, if it didn't load any NAS entries then I would expect it to be completely non-functional and I haven't seen any reports of that. Nor have I seen it on any test instances I have. Though I'm mostly testing 2.6/22.01 at this point and that is already using
freeradius3-3.0.23_1.
Is that what you're seeing? You can just upgrade if you need it now.There is no Quagga package any longer. All dynamic routing is now using FRR.
Steve
The current stable pfSense version is 2.5.2 and the FreeRADIUS version in the current package is still 3.0.22. That version does load NASes but only from a text file. It is a confirmed bug.
Do you have any idea when the package might get updated?
-
I don't have any idea on a specific timeline.
Just to confirm though, you are saying that for you the Freeradius package is completely broken unless you manually add a text file with a list or NASes?
Steve
-
@stephenw10 I don't think this 100% correct - from my quick test. I have recently stop using freerad as auth for my eaptls setup since company locked down phone and prevent loading the profile and certs required to get it to work on the phone.
But freerad was still setup on pfsense, running 3.0.22 version of 21.05.1
So verse turning on ssid with eaptls again, and using my ipad or something to auth. I just did a simple test, added one of my linux box to the nas screen.. 192.168.2.12
Then ran test from that 192.168.2.12 box - and get authed..
I then removed the 192.168.2.12 from the nas/client list - and no longer could auth..
I for sure didn't have to load any "text" file to get that to work, etc.
-
Exactly. This is the first I've heard of this bug if it exists. Freeradius works correctly in 2.5.2/21.05.1 as far as I'm aware.
Need confirmation on exactly what @scilek is seeing and doing.
Steve
-
I would think if 3.0.22 was busted as he is saying where you have to load in a "text" file for nas to work - the forums would be burning down with people complaining and reporting it..
-
FreeRADIUS is capable of loading NASes either from the "nas" table in the database or a plain-text file, which is what pfSense creates when you add clients through the package interface, as you have demonstrated. The NASes defined in the "nas" table are not recognised and you get an error message that goes like "unknown client". You can try it for yourself, but make sure that FreeRADIUS is connected to a database and configured to read the "nas" table. This is confirmed by the developers. I don't know why I am the first person to bring this issue up on the forum, maybe I am the only one that uses a database backend for FreeRADIUS.
-
@scilek said in FreeRADIUS 3.0.22 has a bug.:
maybe I am the only one that uses a database backend for FreeRADIUS.
Quite possible. Where does it say in the freerad gui in pfsense that it will read nas from the table? Even if that is a supported thing?
So no I wouldn't expect it to do something you can not configure in the gui?? Even if there is some bug in freerad where it wouldn't work if configured.
-
Ok, so if the bug here does not affect the pfSense package directly I doubt it will be fixed before the next release. You can always use a 2.6 snapshot now if you really need that functionality.
Steve
-
@johnpoz said in FreeRADIUS 3.0.22 has a bug.:
Where does it say in the freerad gui in pfsense that it will read nas from the table?
Here:
login-to-view@johnpoz said in FreeRADIUS 3.0.22 has a bug.:
So no I wouldn't expect it to do something you can not configure in the gui??
It is not a pfSense issue, it is a FreeRADIUS issue and it has been fixed in the latest version.
-
If FreeRadius was reading the NAS info from one of the tables, called "nas" the that info would be available only to FreeRadius, as the SQL database / tables are (normally) only accessible to FreeRadius.
When creating a NAS setup, the info would have to be stored in a text file for pfSense usage (the client) and FreeRadius.
I guess the (partial !) pfSense integration of FreeRadius chose for the text file as it's simpler to maintain.The same thing goes for the "authorized users" : they are not stored in the FreeRadius backed SQL, engine but in a file for common usage. Where :
pfSense : so it can build one.
FreeRadius : uses it.Right now, from what I've seen, the pfSense GUI does not interact at all with database.
-
@gertjan said in FreeRADIUS 3.0.22 has a bug.:
Right now, from what I've seen, the pfSense GUI does not interact at all with database.
Right. It does NOT. It is not a pfSense issue. The issue is the version of FreeRADIUS in the pfSense package delivered by version 2.5.2. Is there a way of fixing the package to include the unbugged version of FreeRADIUS?
-
Hmm, is there a specific Freeradius bug for this? I see it shows as 'fixed again' in the release notes.
We have an open bug for this issue here: https://redmine.pfsense.org/issues/12126
Steve
-
Is there any way I can get the current package updated to include the clean version of FreeRADIUS? I do not want to wait for the 2.6 stable release.
-
That would be something like :
Install pfsense 2.6.
Install the pfSense package FreeRadius, and try to find out what files were added. Copy these paths and files to a USB drive.
If possible, try to 'read' what's in the package, so you know where and what t look for.
Install 2.5.2.
Install Freeradius current version.
Overwrite the binaries with the ones you saved.This might work. Or break things. Or something in between.
It will be the old school method : discover, try, test, redo, over and over and succeed.I do presume that pfSense 2.6 is based on FreeBSD-12.2 STABLE? as 2.5.2.
-
I have already tried something like that.
I created a new virtual machine and installed FreeBSD 12.2 on it. Then I installed FreeRADIUS 3.0.23_1 and then copied the main binary file for FreeRADIUS (i.e.
radiusd) and overwrote it on the bugged version.It turned out that each FreeRADIUS binary and library has some sort of version stamp and will work with those of the same version.
Not to say that your idea would not work, it is just that it is not an elegant solution and very prone to break at the seams.
I believe the best way to deal with this problem is to get the current package updated.
How can I make that happen? Who has the privilege of updating that package?
Edit:
I think I found a solution.
I installed the DEV version of pfSense on a virtual machine and copied the contents of
/usr/local/etc/pkg/repos/pfSense.confto that on version 2.5.2. After that, I searched the development repository:[2.5.2-RELEASE][root@pfSense.home.arpa]/root: pkg search freeradius freeradius3-3.0.23_1 Free RADIUS server implementation pfSense-pkg-freeradius3-0.15.7_32 FreeRADIUS 3.x package for pfSense [2.5.2-RELEASE][root@pfSense.home.arpa]/root:Then I typed in this:
[2.5.2-RELEASE][root@pfSense.home.arpa]/root: pkg install -y pfSense-pkg-freeradius3-0.15.7_32And it worked! I can even see the new package in the installed packages pane:
login-to-viewI guess that puts the matter to rest.
-
@scilek said in FreeRADIUS 3.0.22 has a bug.:
It turned out that each FreeRADIUS binary and library has some sort of version stamp and will work with those of the same version.
pfSense uses FreeBSD, but uses other default system paths.
Example : the classic FreeBSD uses /etc/raddb for the config files.
pfSense uses /usr/local/etc/raddb/That's why I advise to install pfSEnse 2.6, not FreeBSD 12.2.
And yes, FreeRadius has a boatload of depencies, you have to parse them all out.
And yes, working this way s*cks.A native FreeBSD 12.2 stable OS install is needed if you want to make binaries from source.
During the make process, you can override all those 'pfSense' specific items, likes paths and whatever else.The fasted method could be : test drive 2.6 for a while.
It could work just fine for you. No need to take these bloody razor blade, edge of the wedge daily updates. Got 'final' when it's ready.@scilek said in FreeRADIUS 3.0.22 has a bug.:
Who has the privilege of updating that package?
Netgate probably works like any other company :
Every Friday, in the afternoon, all personnel is summoned to go to the local meeting room.
A lotteries will take place.
These are the numbers ( the 12xxx series at the beginning of every line ).
Every member present gets a number assigned.
Their mission, they want it, or no : repair the issue.Here you can see the known FreeRadius issues, some of them are assigned. Some are not.
Btw : I could be totally wrong, of course ;)
edit :
@scilek said in FreeRADIUS 3.0.22 has a bug.:
And it worked!
I love it !
Totally non supported of course, but just perfect for you, so :
Glad you figured something out. -
Mmm, nice result!
That was lucky. It could easily have not worked with 2.5.2.
Steve
-
@stephenw10 said in FreeRADIUS 3.0.22 has a bug.:
That was lucky. It could easily have not worked with 2.5.2.
Well, between me and you, it did not work the first time because I had forced a package repository update:
pkg update -fDoing that undid the modification I had done to the
pfSense.conffile. So I edited the file a second time and it worked.