NEW Package: freeRADIUS 2.x
-
Just remember - pfsense 2.1 is still development and not ready ;-)
Something I know all too well, but at least I'm getting to test it in the real world. I built a new system for a client, and didn't realize I couldn't use a Realtek 8111e on-board NIC with pfSense 2.0. Thankfully, all is working now knock on wood - if it seems stable, I might not touch it until the final comes out :D
-
All of the PBI bits should be there now, and the other bits as well, on files.pfsense.org.
https://github.com/bsdperimeter/pfsense-packages/commit/465839eb99cd094d6d7e5b7d76e82c432165a82b
Give things another test, see how they go.
-
Installation error
-
Odd for whatever reason amd64 picked up postgresql 9.x and i386 got 8.x.
Should be OK shortly. Give it ~20 min and reinstall.
-
Does PF 2.1 count or send the correct traffic data when using freeradius2 and captive portal ?
I would like to run a daily and or a monthly usage cap for users, with mac auth. -
Does PF 2.1 count or send the correct traffic data when using freeradius2 and captive portal ?
I would like to run a daily and or a monthly usage cap for users, with mac auth.Anyone testing the traffic limits?
-
Does PF 2.1 count or send the correct traffic data when using freeradius2 and captive portal ?
I would like to run a daily and or a monthly usage cap for users, with mac auth.Anyone testing the traffic limits?
Probably not because there was just the .PBI fpr pfsense 2.1 but not the GUI ready for that.
I made some changes on the freeradius.inc to make the package work for 2.1. There are probably some fixes to make but at first it should work and we can test if all the neccessary dependencies are available and working or not.Give the server some minutes to sync the code.
-
FYI- a new PBI for FreeRADIUS2 just uploaded also, it should have the proper build options now. Due to a bug in the PBI build script it was missing the options for things like LDAP and such.
EDIT: i386 is up… amd64 is still building, I thought they had both finished.
-
FYI- a new PBI for FreeRADIUS2 just uploaded also, it should have the proper build options now. Due to a bug in the PBI build script it was missing the options for things like LDAP and such.
EDIT: i386 is up… amd64 is still building, I thought they had both finished.
Thanks for feedback. Cannot test from home because of a very bad and slow WLAn connectiong. Perhaps someone else can do this or I will try to find some time tomorrow.
Another question:
freeradius2 package contains a "mobile-one-time-password" feature. The script which realizes that is written in "bash". In the past I downloaded the bash package from the freebsd ftp server if someone wants to use mOTP. I would like to shrink the freeradius.inc so that I do not have to download bash because pfsense does not has bash by default - but pfsense can talk "shell" ;-)So if someone would like to help to improve this package - please feel free to translate the following script from "bash" to "shell":
#!/bin/bash # # Mobile One Time Passwords (Mobile-OTP) for Java 2 Micro Edition, J2ME # written by Matthias Straub, Heilbronn, Germany, 2003 # (c) 2003 by Matthias Straub # Modified 2012 by Alexander Wilke <nachtfalkeaw@web.de> # # Version 1.05a # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU Library General Public # License as published by the Free Software Foundation; either # version 2 of the License, or (at your option) any later version. # # This software is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Library General Public License for more details. # # arguments: \$1 \$2 \$3 \$4 \$5 # \$1 - username # \$2 - one-time-password that is to be checked # \$3 - init-secred from token (to init token: #**#) # \$4 - user PIN # \$5 - time difference between token and server in 10s of seconds (360 = 1 hour) # # one-time-password must match md5(EPOCHTIME+SECRET+PIN) # # # otpverify.sh version 1.04b, Feb. 2003 # otpverify.sh version 1.04c, Nov. 2008 # changed line 1 to ksh because of problems with todays bash an sh # otpverify.sh version 1.05a, Jan. 2011 # changed back to bash and added in shopts line to ensure aliases handled # correctly (bash is always available on any modern *nix unlike ksh) # PATH=\$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin   alias checksum=$varsettingsmotpchecksumtype   have_md5="true" # ensure aliases are expanded by bash shopt -s expand_aliases function chop { num=`echo -n "\$1" | wc -c | sed 's/ //g' ` nummin1=`expr \$num "-" 1` echo -n "\$1" | cut -b 1-\$nummin1 } if [ ! \$# -eq 5 ] ; then echo "USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset" logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - wrong syntax - USAGE: otpverify.sh Username, OTP, Init-Secret, PIN, Offset"; exit 14 fi mkdir /var/log/motp 2>/dev/null mkdir /var/log/motp/cache 2>/dev/null mkdir /var/log/motp/users 2>/dev/null chmod og-rxw /var/log/motp 2>/dev/null || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp"; exit 17; } chmod og-rxw /var/log/motp/cache chmod og-rxw /var/log/motp/users USERNAME=`echo -n "\$1" | sed 's/[^0-9a-zA-Z._-]/X/g' ` PASSWD=`echo -n "\$2" | sed 's/[^0-9a-f]/0/g' ` SECRET=`echo -n "\$3" | sed 's/[^0-9a-f]/0/g' ` PIN=`echo -n "\$4" | sed 's/[^0-9]/0/g' ` OFFSET=`echo -n "\$5" | sed 's/[^0-9]/0/g' ` EPOCHTIME=`date +%s` ; EPOCHTIME=`chop \$EPOCHTIME` # delete old logins find /var/log/motp/cache -type f -cmin +$varsettingsmotpdeleteoldpasswords | xargs rm 2>/dev/null if [ -e "/var/log/motp/cache/\$PASSWD" ]; then echo "FAIL" logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password \$PASSWD is already used!" exit 15 fi # account locked? if [ "`cat /var/log/motp/users/\$USERNAME 2>/dev/null`" == "$varsettingsmotppasswordattempts" ]; then echo "FAIL" logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Too many wrong password attempts. User is locked! To unlock delete /var/log/motp/users/\$USERNAME" exit 13 fi I=0 EPOCHTIME=`expr \$EPOCHTIME - $varsettingsmotptimespan` EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET` while [ \$I -lt $varsettingsmotptimespanbeforeafter ] ; do # `$varsettingsmotptimespan * 10` seconds before and after OTP=`printf \$EPOCHTIME\$SECRET\$PIN|checksum|cut -b $varsettingsmotptokenlength` if [ "\$OTP" = "\$PASSWD" ] ; then touch /var/log/motp/cache/\$OTP || { echo "FAIL! Need write-access to /var/log/motp";logger -f /var/log/system.log "FreeRADIUS: Mobile-One-Time-Password - need write-access to /var/log/motp/cache"; exit 17; } echo "ACCEPT" logger -f /var/log/system.log "FreeRADIUS: Authentication success! Mobile-One-Time-Password \$PASSWD for user \$USERNAME is correct!" rm "/var/log/motp/users/\$USERNAME" 2>/dev/null exit 0 fi I=`expr \$I + 1` EPOCHTIME=`expr \$EPOCHTIME + 1` done echo "FAIL" NUMFAILS=`cat "/var/log/motp/users/\$USERNAME" 2>/dev/null` if [ "\$NUMFAILS" = "" ]; then NUMFAILS=0 fi NUMFAILS=`expr \$NUMFAILS + 1` echo \$NUMFAILS > "/var/log/motp/users/\$USERNAME" NUMFAILSLEFT=`expr $varsettingsmotppasswordattempts - \$NUMFAILS` logger -f /var/log/system.log "FreeRADIUS: Authentication failed! Mobile-One-Time-Password incorrect. \$NUMFAILSLEFT attempts left. " exit 11</nachtfalkeaw@web.de> -
For now if you want to, just add a build_port_path for shells/bash and then eventually when the PBI pops out it can be included.
If someone can rewrite that to a basic shell script then we can eventually remove that dependency.
-
It has changed on pbis, but still have something to do:
previous version was using cyrrus-sasl, did you compiled with krb5 on this version?
libkrb5.so is missing for rlm_krb5 but not for libgssapi_krb5.so/usr/pbi/freeradius-amd64/lib/freeradius-2.1.12/rlm_krb5.so:
libfreeradius-radius-2.1.12.so => /usr/pbi/freeradius-amd64/lib/freeradius-2.1.12/libfreeradius-radius-2.1.12.so (0x800c00000)
libkrb5.so => not found (0x0)
libcom_err.so => /usr/lib/libcom_err.so (0x800d21000)
libk5crypto.so => not found (0x0)
libthr.so.3 => /lib/libthr.so.3 (0x800e23000)
libc.so.7 => /lib/libc.so.7 (0x800646000)/usr/pbi/freeradius-amd64/lib/libgssapi_krb5.so:
libkrb5.so => /usr/pbi/freeradius-amd64/lib/libkrb5.so (0x800c00000)
libk5crypto.so => /usr/pbi/freeradius-amd64/lib/libk5crypto.so (0x800dce000)
libcom_err.so => /usr/lib/libcom_err.so (0x800ef8000)
libkrb5support.so => /usr/pbi/freeradius-amd64/lib/libkrb5support.so (0x800ffa000)
libc.so.7 => /lib/libc.so.7 (0x800646000)Is that the very latest PBI from a couple hours ago?
It should be compiled with whatever options were set in build_options - if those aren't right, feel free to adjust them.
That Kerberos library file is in the base system but it can also come from the krb5 port or the heimdal port.
If needed I can get the libraries and put them in a tgz on files.pfsense.org but I'd really like to avoid that if possible, these kinds of things should (in theory anyhow) be handled by port dependencies…
-
hmpf :(
I have a problem with my constant…it's not working.
define('USRLOCAL', '/usr/local');USRLOCAL is not resolved in the rest of the config files (radiusd.conf, radiusd.sh)
Could there be only one constant in a php file !?
Or should the maintainer just improve his php skills ;) -
It should be compiled with whatever options were set in build_options - if those aren't right, feel free to adjust them.
That Kerberos library file is in the base system but it can also come from the krb5 port or the heimdal port.That's the point. On November 01, 2011 while I was trying to compile postfix to use sasl, I thought it was a compile arg missing but ermal replied this:
@ermal:
That's missing dependency of the package i think or missing libraries in base of pfSense.
It is not a missing compile flag of the package itself.Just general comment here while i saw this though.
After this, I've copied missing libs for saslpasswd2 from freebsd base system and it started working.
-
That makes me wonder if I might need to expose a couple more PBI build options. See there are two things you can do with a PBI besides the main package build that are better for dependencies, you can set a port to build before the main build or a port to build after.
So maybe if I add krb5 to the "before" list it might work. I'll do some experiments and see what happens, assuming I get time today.
-
So maybe if I add krb5 to the "before" list it might work. I'll do some experiments and see what happens, assuming I get time today.
Thank's for your help Jimp. :)
krb5 has a lot of dependencies while heimdal is almost native for freebsd, maybe changing it to heimdal could result in a smaller pbi.
-
Might be a better way, that's what I'll try first.
Sneaking WITHOUT_X11 into the PBI config also saves a bit. The PBI for mtr went from 60MB to 44K in a test build :-) (doesn't apply to all ports though, of course…)
FYI- check my reply in the 2.1 package testing thread for info about Dansguardian
-
For an update on the library issue, see my post here: http://forum.pfsense.org/index.php/topic,50603.0.html
-
Ok, as far as I can say that at the moment:
freeradius2 should work with basic authentication methods on pfsense 2.1 and 2.0.x
But probably it is best to test on a test machine and make sure that all features will work. what you need to test is mysql, postgresql and LDAP functionality. Because of the new package dependencies in the new .PBI packages there could be some files missing. I do not have any possibility to check with SQL or LDAP.So please do not update at the moment if you have a running freeradius2 package on any pfsense 2.0.x machine. There are no new features or bugfixes. The changes we made are only for compatibility with pfsense 2.1.
Thanks for your feedback!
-
Error in otpverify.sh script:
In code :
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6Should be:
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6 -
@Als:
Error in otpverify.sh script:
In code :
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 6Should be:
OTP=printf $EPOCHTIME$SECRET$PIN|checksum|cut -b 1-6I think you mean line 3925 here:
https://github.com/bsdperimeter/pfsense-packages/blob/master/config/freeradius2/freeradius.incThe GUI says it with an example: You have to enter the range like:
1-6
3-9
3-5
7-10If you just enter one number it will not work - of course.
