PfSense 25.07.1 free radius error

Globo

Hi.
I upgrade my secondary pfsense on 25.07.1.
When I test to pass from pfsense primary (24.11) to secondary (25.07.1), the connexion from OPENVPN with authentication in free radius doesn't work (openvpn.auth-user.php: Error during RADIUS authentication : Operation timed out).
I go back to primary and this is OK.
When my two pfsense was in 24.11, no trouble to pass to primary to secondary.
I verify all the parameters, and all seems ok.
The package freeradius on 24.11 are in 0.15.13 and in 25.07.1 are in 0.15.14
An idea?
Best regards

stephenw10

Is radiusd running on the secondary?

Do you see any errors there?

Globo

Hi!

freeradius is on the two PfSense (primary and secondary).
The error are in OpenVPN
/openvpn.auth-user.php: Error during RADIUS authentication : Operation timed out

Gertjan

@Globo

If applicable : can you test with Diagnostics > Authentication ?

@Globo said in PfSense 25.07.1 free radius error:

Operation timed out

Looks like 25.07.1 can't reach (no contact - no answer) the radius server.

Suggestions :

Check if radiusd is actually running :

ps aux | grep 'radiusd'

Check if radiusd is listing and on which ports :

sockstat | grep 'radiusd'

Globo

The result of the commands

[25.07.1-RELEASE][admin@pfsense2.localdomain]/root: ps aux | grep 'radiusd'
root 63303 4.7 0.8 107424 65284 - Ss 10:57 0:00.08 /usr/local/sbin/radiusd
root 75817 0.0 0.0 14076 2688 0 S+ 10:57 0:00.00 grep radiusd
[25.07.1-RELEASE][admin@pfsense2.localdomain]/root: sockstat | grep 'radiusd'
root radiusd 63303 3 dgram -> /var/run/log
root radiusd 63303 12 udp4 127.0.0.1:18128 :
root radiusd 63303 13 udp4 127.0.0.1:18127 :
root radiusd 63303 14 udp4 *:1812 :
root radiusd 63303 15 udp4 *:1813 :

Gertjan

@Globo

These command were executed on the device that didn't reply, right ?

radiusd listens on all interface (including 127.0.0.1) on 1812 and 1813.
I'm missing 1816 ... the default Status interface (maybe not that important) :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep 'radiusd'
root     radiusd    81070 19  stream /var/run/radiusd.sock
root     radiusd    81070 20  udp4   *:1812                *:*
root     radiusd    81070 21  udp4   *:1816                *:*
root     radiusd    81070 22  udp4   *:1813                *:*
root     radiusd    81070 23  udp4   127.0.0.1:18127       *:*
root     radiusd    81070 24  udp4   127.0.0.1:18128       *:*

I have also a socket as I use that for my own needs.

Can your pfSense A reach pfSense B : does the firewall on pfSense B allow radius UDP traffic from A ?

Packet capture the radius traffic on both sides ?!

Globo

I have to pass on the secondary to test... and not today, so much people connected on the primary, maybe tomorrow.
Thanks for your help.

stephenw10

Yup, check Status > Services to make sure it's actually running there.

I would also test it in Diag > Authentication to make sure local auth still works for those users.

Globo

Well, after a reboot, freeradius stay off. I start it, and after pass on the secondary.
That's work fine.

Thanks a lot to all.

stephenw10

Hmm, well it should start at boot. If it fails to start I'd expect some error to be logged.