Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out

Gertjan · Sep 26, 2023, 1:07 PM

Somewhat anti-productive, but I found no issues while upgrading to "_1".

I've found this subject the moment I had hit "upgrade" ....
I knew I had a fresh backup of the config, as I have these created twice a day.

But nothing happened : all is well ..... euh

tman222 · Sep 26, 2023, 1:15 PM

I checked some older configuration backup files as well and the <keep_settings> tag was not present. I assume this must be why the freeradius configuration settings were lost during the package upgrade to 0.15.10_1.

@Gertjan @johnpoz - is the <keep_settings> tag present in all your configuration back up files (i.e. in ones created prior to the package upgrade)?

Gertjan · Sep 26, 2023, 1:45 PM

@tman222

[23.05.1-RELEASE][root@pfSense.bhf.net]/root: grep 'keep_settings' /conf/config.xml
                                <keep_settings>on</keep_settings>

Yep.

edit : that is, somewhere below

<freeradiussettings>
                       <config>

johnpoz · Sep 26, 2023, 1:52 PM

@tman222 I just looked at one from 9/3 and the setting was there.

edit: found an old one from 2/19 and yeah settings is there.. One from 8/23 and yup there.

tman222 · Oct 8, 2023, 6:23 AM

Thanks guys, I think that explains it then. I did have the "Save settings..." option checked, but the tag was not present in the configuration back up files. Maybe I never hit Save on that screen. In any case, it appears to resolved now.

whorfin · Oct 8, 2023, 6:23 AM

Same boat; that wrecked my evening, but fortunately I found this thread after moving to a privileged machine not needing radius authentication.

Upgrade from 0.15.10 to 0.15.10_1 blew away all freeradius config.
Restored pfSense from a backup config.
Confirmed that the GUI showed "Save settings after deletion" was ticked
...but the config file had no entry for <keep_settings> it was simply missing
Unticked/saved/Ticked/saved and then exported a new config
<keep_settings> is now present and set to on

ps - unable to check the redmine link above, the site is currently busted:

This website is under heavy load (queue full)
We're sorry, too many people are accessing this website at the same time. We're working on this problem. Please try again later.

stephenw10 · Oct 8, 2023, 5:37 PM

The redmine site is available again. That bug is now fixed.

Viper_Rus · Oct 23, 2023, 6:53 AM

This post is deleted!

c0ff33h4x · Nov 19, 2023, 6:36 AM

@Luca-De-Andreis said in Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out:

/diag_authentication.php: Error during RADIUS authentication : Operation timed out

Is there a fix for this specific error? I'm in a (presently unique but likely soon to be more common for other users) scenario where I'm installing a fresh 2.7.1 build with no backup to restore from so I only have freeradius3 0.15.10_1 available which isn't functional and results in the above Operation timed out message.

stephenw10 · Nov 19, 2023, 2:26 PM

The only reason OP in this thread was seeing that is because all radius config was lost at upgrade. That shouldn't affect you on a clean install so I'd suggest it's just not configured correctly.
We're going to need more info to diagnose that further.

c0ff33h4x · Nov 20, 2023, 4:38 PM

@stephenw10 I configured it the same on 3 previously 2.7 builds with no issue, and followed the same instructions for this. Also wiped and did a fresh reinstall and reconfigure with the same result. Followed these instructions to a T: https://www.netgate.com/blog/freeradius-on-pfsense-for-2fa but that timed out error is the only log indicating the failure. I am human though so I could have make a mistake and then replicated the same mistake over again but comparing build to build, I don't see any difference in settings.

Is there something else I can check to diagnose this further? I need to get this functional so I'll probably need to take a backup of one of the other systems I tweak that to work but it would be nice to know why this is failing so that it ca be fixed in an _2 release.

stephenw10 · Nov 20, 2023, 5:20 PM

Well I would first check that Freeradius works without 2FA enabled. We need to try to pin down exactly what's failing there.

c0ff33h4x · Nov 20, 2023, 7:08 PM

@stephenw10 Makes sense. I just did a fresh install of 2.7.0, installed the available freeradius 3 package (pfSense-pkg-freeradius3-0.15.10_1), configured without OTP and tested auth and I get the same timed out error.

stephenw10 · Nov 20, 2023, 7:16 PM

Can you test 2.7.1? Not that I'd expect any difference there.

Exactly what did you configure in Freeradius? Do you see anything logged?

c0ff33h4x · Nov 20, 2023, 7:24 PM

@stephenw10
In freeradius, I created the listener port, added the NAS/Client with client IP of 127.0.0.1 and set the shared secret, created a user with a simple clear-text password and then added FreeRADIUS as an authentication source with the previously set shared secret.
I had done this in 2.7.1 before with the same result by the way.
and the only log is this:
Nov 20 18:59:09 php-fpm 58498 /diag_authentication.php: Error during RADIUS authentication : Operation timed out

stephenw10 · Nov 20, 2023, 8:36 PM

And you set the interface type as authentication I assume? (which is the default)

That works as expected for me here.

Try using radtest as shown here: https://docs.netgate.com/pfsense/en/latest/packages/freeradius-test.html

c0ff33h4x · Nov 21, 2023, 6:29 AM

@stephenw10 I followed the radtest procedure, got the same error in the gui and then when testing via cli I get the following error:

ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "radclient"

Guessing that might be missing from the new freeradius package and maybe was transitioned to be included in 2.7.1 causing the incompatibility.
I updated by 2.7.0 build to 2.7.1 and the radtest passes now with no other changes so that looks to be it.
Reinstalled a fresh copy of 2.7.1 and retried the setup and it works now. I must've missed something in previous 2.7.1 attempts, my bad.
Thank you for your time and assistance!

Gertjan · Nov 21, 2023, 7:23 AM

@c0ff33h4x said in Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out:

Guessing that might be missing from the new freeradius package and maybe was transitioned to be included in 2.7.1 causing the incompatibility.
I updated by 2.7.0 build to 2.7.1 and the radtest passes now with no other changes so that looks to be it.

You've triggered : Pre-Upgrade Tasks

In short : never ever upgrade packages if a new pfSense version is available : upgrade pfSense first ;)

stephenw10 · Nov 21, 2023, 12:58 PM

Ah. Glad you were able to resolve it!

c0ff33h4x · Nov 21, 2023, 4:42 PM

@Gertjan heard 100%. The series of events that I ran through though was that I had installed and tested few 2.7.0 systems a few weeks prior and shooting for consistency, I used the same ISO to setup another, but by that time, the available freeradius package was a different version in the package manager (didn't initially realize this) to a breaking version that isn't compatible with 2.7.0 apparently. IMO In a perfect world, a 2.7.0 build shouldn't even have the option to install 0.15.10_1 since it's not compatible or at least have the ability to choose package versions but it's neither here nor there at this point. My issues resolved and moving forward I know I'll need to either install all the systems at once or take full system images to restore and replicate from if the need for increasing scale arises. Live and learn :-)

Thanks @stephenw10 for helping my troubleshooting along,