Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out
-
Well I would first check that Freeradius works without 2FA enabled. We need to try to pin down exactly what's failing there.
-
@stephenw10 Makes sense. I just did a fresh install of 2.7.0, installed the available freeradius 3 package (pfSense-pkg-freeradius3-0.15.10_1), configured without OTP and tested auth and I get the same timed out error.
-
Can you test 2.7.1? Not that I'd expect any difference there.
Exactly what did you configure in Freeradius? Do you see anything logged?
-
@stephenw10
In freeradius, I created the listener port, added the NAS/Client with client IP of 127.0.0.1 and set the shared secret, created a user with a simple clear-text password and then added FreeRADIUS as an authentication source with the previously set shared secret.
I had done this in 2.7.1 before with the same result by the way.
and the only log is this:
Nov 20 18:59:09 php-fpm 58498 /diag_authentication.php: Error during RADIUS authentication : Operation timed out -
And you set the interface type as authentication I assume? (which is the default)
That works as expected for me here.
Try using radtest as shown here: https://docs.netgate.com/pfsense/en/latest/packages/freeradius-test.html
-
@stephenw10 I followed the radtest procedure, got the same error in the gui and then when testing via cli I get the following error:
ld-elf.so.1: Shared object "libcrypto.so.30" not found, required by "radclient"Guessing that might be missing from the new freeradius package and maybe was transitioned to be included in 2.7.1 causing the incompatibility.
I updated by 2.7.0 build to 2.7.1 and the radtest passes now with no other changes so that looks to be it.
Reinstalled a fresh copy of 2.7.1 and retried the setup and it works now. I must've missed something in previous 2.7.1 attempts, my bad.
Thank you for your time and assistance! -
@c0ff33h4x said in Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out:
Guessing that might be missing from the new freeradius package and maybe was transitioned to be included in 2.7.1 causing the incompatibility.
I updated by 2.7.0 build to 2.7.1 and the radtest passes now with no other changes so that looks to be it.You've triggered : Pre-Upgrade Tasks
In short : never ever upgrade packages if a new pfSense version is available : upgrade pfSense first ;)
-
Ah. Glad you were able to resolve it!
-
@Gertjan heard 100%. The series of events that I ran through though was that I had installed and tested few 2.7.0 systems a few weeks prior and shooting for consistency, I used the same ISO to setup another, but by that time, the available freeradius package was a different version in the package manager (didn't initially realize this) to a breaking version that isn't compatible with 2.7.0 apparently. IMO In a perfect world, a 2.7.0 build shouldn't even have the option to install 0.15.10_1 since it's not compatible or at least have the ability to choose package versions but it's neither here nor there at this point. My issues resolved and moving forward I know I'll need to either install all the systems at once or take full system images to restore and replicate from if the need for increasing scale arises. Live and learn :-)
Thanks @stephenw10 for helping my troubleshooting along,
-
@c0ff33h4x said in Freeradius: after upgrade from 0.15.10 to 0.15.10_1: error during authentication: Operation timed out:
IMO In a perfect world, a 2.7.0 build shouldn't even have the option to install 0.15.10_1 since it's not compatible
I agree and in future that will be the case. 23.09/2.7.1 has the ground work to enable that.
-
Thanks for the feed back.
Be assured : I would have also fallen into the trap.It is (was) easy for me to say : as soon as we know a newer pfSense is out, only upgrade packages after I've upgraded pfSense.
Packages repositories should be 'per pfSense version', or, way easier : package upgrading (using the GUI) should show a warning (or even block ?) if this information is isn't 'current' and/or not showing the green "The system is on the latest version".
