FreeRadius

Slam

Hi !

I want to make a little End users software for manage radius users in Pfsense.

The software I try to make (java) connect to pfsense box (via winscp in console mode), download
the /usr/local/etc/raddb/users, edit this file and upload to the pfsense box.

I would like to have more informations how is working freeradius on pfsense:
1,the users are on config.xml too, if i reboot the box, i lost my change.
2,I dont see any modification on the pfsense box in freeraduis-> users

Any suggestions are welcome
Marc

If I'm not mistaken, the user file is created upon pfsense start up (from the relevant details in config.xml), any changes that you make to this file manually will be lost upon reboot (as you have noticed).

The only way you could possibly could achieve your goal is to use your java program to make amends directly to the config.xml file, but that could be very risky indeed, not only that but from my understanding of radius you'd also have to send a HUP to it for it to reread the new amendments, which only works in freeradius v2.x, pfsense uses v1.1.2, perhaps some more experienced pfsensers could advise on this.

I understand your needs to make changes, I currently use local user manager with captive portal, so every aspect of my hotspot is manual, which is why I began a few days ago setting up an external radius server, which is a nightmare if you've never used radius before, like me ::) BUT I'm slowly getting there with help from RTFM and freeradius-users mailing list. ;D

Regards

hoba

That's correct, a rebot or a simple save in the pfSensewebgui at the radiuspages will recreate all the config files from scratch and revert anything that you might have manually entered there.

You probably could use the xmlrpc procedures used when syncing configurations in a clustered install to add users to the config.xml.

marcoof

Thank you for your reply.

yes it's for the captive portal authentification !
Why to do it? because I don't want to give access to non technical user directly to the firewall.

I have make the software who download the config.xml read, modify or create radius user.
It send back the modified config.xml.
I know it's not a good solution (I' ll prefer edit /usr/local/etc/raddb/users)
if I reboot Pfsense, my change are applied and it's ok.
What I want to do now it's to find how apply the change without rebooting (like when we create users with the freeradius interface).

If someone have any idea?

hoba

pfSense 1.3 will have a usermanager where you can exclude guipages for special users. This way you could create users that just can work on the freeradius pages for example, if that would help you.

marcoof

Hoba !

yes it will be a great feature !

But at this times I need it do it and squid working.
I Use 1.2 RC2 who seem to work well with squid

Marc

Slam

@marcoof:

What I want to do now it's to find how apply the change without rebooting (like when we create users with the freeradius interface).

If someone have any idea?

/usr/local/etc/rc.d/rc.radiusd stop && /usr/local/etc/rc.d/rc.radiusd start

… or whatever the radiusd startup script is called.

You could possibly just do a restart instead of the stop and start, sorry I dont have radius installed on my pfs box so you'd have to look into the script itself to see if it has the restart option and whether it picks up your changes fully.

marcoof

I'm come back !

Thank you for your help !

Finally the software work.
It can connect to pfsense, download the config.xml and the user for radius, edit them.
When we have finish to edit the user, it send back to pfsense kill radius and start it again.
It can halt or restart the box, and I have a system setting for pfsense (ip, port, login, password).
I Can now edit the captiveportal user witout loggin into pfsense :-)
I'm going to add a function 'who is online).
Suggestions are welcome !
Marc

hoba

Nice! I guess the community would love if you made this available to the public ;)

hal1613

Marc,

Very nice work on the utility - could you post the user utility for freeradius so we can try it?

Thanks

Hal

marcoof

Hi again !

Nice! I guess the community would love if you made this available to the public

Yes, i test a little bit more and i send a link to the files in one week.
Marc

David_W

I maintain the FreeRADIUS 1.x and 2.x ports for FreeBSD, and I'm a pfSense user, so I try to respond to the FreeRADIUS threads when I notice them.

@Slam:

/usr/local/etc/rc.d/rc.radiusd stop && /usr/local/etc/rc.d/rc.radiusd start
… or whatever the radiusd startup script is called.

You could possibly just do a restart instead of the stop and start, sorry I dont have radius installed on my pfs box so you'd have to look into the script itself to see if it has the restart option and whether it picks up your changes fully.

That should be:

/usr/local/etc/rc.d/radiusd restart

FreeRADIUS 1.x doesn't support HUP - almost certainly it will end messily. There's limited support for HUP in FreeRADIUS 2.x (if I remember rightly, you can change the users file and HUP, but changes to most other parts of the configuration still require a restart), which is now available in FreeBSD ports as the net/freeradius2 port. Unfortunately I submitted the FreeRADIUS 2 port too late to make it into 6.3-RELEASE and 7.0-RELEASE.

If it would help anyone, I can probably build a FreeRADIUS 2 package for 6.3-RELEASE i386 and/or 7.0-RELEASE i386 thanks to VMware.

It may be possible to authenticate directly against the pfSense user database using rlm_perl or rlm_python (only available in 2.x unless you enable EXPERIMENTAL support). My perl skills are rather rudimentary at the moment - I do intend to improve my perl when I get the time.

David

marcoof

This is my first screenshot…