Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out
-
I take it I could not reproduce because not all that long ago, I had changed all my certs for my eap-tls setup, and hit save settings at some point..
-
Somewhat anti-productive, but I found no issues while upgrading to "_1".
I've found this subject the moment I had hit "upgrade" ....
I knew I had a fresh backup of the config, as I have these created twice a day.But nothing happened : all is well ..... euh
-
I checked some older configuration backup files as well and the
<keep_settings>
tag was not present. I assume this must be why the freeradius configuration settings were lost during the package upgrade to 0.15.10_1.@Gertjan @johnpoz - is the
<keep_settings>
tag present in all your configuration back up files (i.e. in ones created prior to the package upgrade)? -
[23.05.1-RELEASE][root@pfSense.bhf.net]/root: grep 'keep_settings' /conf/config.xml <keep_settings>on</keep_settings>
Yep.
edit : that is, somewhere below
<freeradiussettings> <config>
-
@tman222 I just looked at one from 9/3 and the setting was there.
edit: found an old one from 2/19 and yeah settings is there.. One from 8/23 and yup there.
-
Thanks guys, I think that explains it then. I did have the "Save settings..." option checked, but the tag was not present in the configuration back up files. Maybe I never hit Save on that screen. In any case, it appears to resolved now.
-
-
Same boat; that wrecked my evening, but fortunately I found this thread after moving to a privileged machine not needing radius authentication.
Upgrade from 0.15.10 to 0.15.10_1 blew away all freeradius config.
Restored pfSense from a backup config.
Confirmed that the GUI showed "Save settings after deletion" was ticked
...but the config file had no entry for<keep_settings>
it was simply missing
Unticked/saved/Ticked/saved and then exported a new config
<keep_settings>
is now present and set toon
ps - unable to check the redmine link above, the site is currently busted:
This website is under heavy load (queue full) We're sorry, too many people are accessing this website at the same time. We're working on this problem. Please try again later.
-
The redmine site is available again. That bug is now fixed.
-
This post is deleted! -
@Luca-De-Andreis said in Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out:
/diag_authentication.php: Error during RADIUS authentication : Operation timed out
Is there a fix for this specific error? I'm in a (presently unique but likely soon to be more common for other users) scenario where I'm installing a fresh 2.7.1 build with no backup to restore from so I only have freeradius3 0.15.10_1 available which isn't functional and results in the above Operation timed out message.
-
The only reason OP in this thread was seeing that is because all radius config was lost at upgrade. That shouldn't affect you on a clean install so I'd suggest it's just not configured correctly.
We're going to need more info to diagnose that further. -
@stephenw10 I configured it the same on 3 previously 2.7 builds with no issue, and followed the same instructions for this. Also wiped and did a fresh reinstall and reconfigure with the same result. Followed these instructions to a T: https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa but that timed out error is the only log indicating the failure. I am human though so I could have make a mistake and then replicated the same mistake over again but comparing build to build, I don't see any difference in settings.
Is there something else I can check to diagnose this further? I need to get this functional so I'll probably need to take a backup of one of the other systems I tweak that to work but it would be nice to know why this is failing so that it ca be fixed in an _2 release.
-
Well I would first check that Freeradius works without 2FA enabled. We need to try to pin down exactly what's failing there.
-
@stephenw10 Makes sense. I just did a fresh install of 2.7.0, installed the available freeradius 3 package (pfSense-pkg-freeradius3-0.15.10_1), configured without OTP and tested auth and I get the same timed out error.
-
Can you test 2.7.1? Not that I'd expect any difference there.
Exactly what did you configure in Freeradius? Do you see anything logged?
-
@stephenw10
In freeradius, I created the listener port, added the NAS/Client with client IP of 127.0.0.1 and set the shared secret, created a user with a simple clear-text password and then added FreeRADIUS as an authentication source with the previously set shared secret.
I had done this in 2.7.1 before with the same result by the way.
and the only log is this:
Nov 20 18:59:09 php-fpm 58498 /diag_authentication.php: Error during RADIUS authentication : Operation timed out -
And you set the interface type as authentication I assume? (which is the default)
That works as expected for me here.
Try using radtest as shown here: https://docs.netgate.com/pfsense/en/latest/packages/freeradius-test.html
-
@stephenw10 I followed the radtest procedure, got the same error in the gui and then when testing via cli I get the following error:
ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "radclient"
Guessing that might be missing from the new freeradius package and maybe was transitioned to be included in 2.7.1 causing the incompatibility.
I updated by 2.7.0 build to 2.7.1 and the radtest passes now with no other changes so that looks to be it.
Reinstalled a fresh copy of 2.7.1 and retried the setup and it works now. I must've missed something in previous 2.7.1 attempts, my bad.
Thank you for your time and assistance! -
@c0ff33h4x said in Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out:
Guessing that might be missing from the new freeradius package and maybe was transitioned to be included in 2.7.1 causing the incompatibility.
I updated by 2.7.0 build to 2.7.1 and the radtest passes now with no other changes so that looks to be it.You've triggered : Pre-Upgrade Tasks
In short : never ever upgrade packages if a new pfSense version is available : upgrade pfSense first ;)
-
Ah. Glad you were able to resolve it!