NEW Package: freeRADIUS 2.x

oragon

newbie question. i have reinstalled my pfsense 2.0.1 for 3 times but i don't see the freeradius 2.x as my available package. please advise on how i could have it. thanks for the reply

marcelloc

you have nano or full install????

Nachtfalke

In general freeradius2 package is available for i386/amd64 installations using pfsense version 2.x
Full installation on HDD is supported and it should run on nanobsd installations, too.

Not sure, why it will not be displayed on you installation but you can try this:
1.) login on pfsense
2.) access this URL: http://your_pfsense_IP/pkg_mgr_install.php?id=freeradius2

z3r0tech

@Nachtfalke:

In general freeradius2 package is available for i386/amd64 installations using pfsense version 2.x
Full installation on HDD is supported and it should run on nanobsd installations, too.

Not sure, why it will not be displayed on you installation but you can try this:
1.) login on pfsense
2.) access this URL: http://your_pfsense_IP/pkg_mgr_install.php?id=freeradius2

this is my pfsense:

2.0.1-RELEASE (i386)
built on Mon Dec 12 17:53:52 EST 2011
FreeBSD 8.1-RELEASE-p6

You are on the latest version.

im using the http://mirror.optus.net/pub/pfSense/downloads/pfSense-2.0.1-RELEASE-i386.iso.gz
installed everything on my hdd using vmware workstation 8
installed lusca and squidguard without problems…

i have the same problem it does not show on available packages
here's the error on console when i try pkg_add -r freeradius2
and manual adding it on the pfsense webgui

is there a way i can fetch it or modify the repo links or xml? how?
or how can i install it manually or add it on the available package list?

![console freeradius2.jpg](/public/imported_attachments/1/console freeradius2.jpg)
![console freeradius2.jpg_thumb](/public/imported_attachments/1/console freeradius2.jpg_thumb)

Nachtfalke

I have some different VMs with 2.0.1 x86/x64 installs and pfsense 2.1 installs.
I can install the package on all machines from the GUI.

The parameter which indicates the version is the same as for lets say squid2 or squidguard:


<required_version>2.0</required_version>

But I am not sure where the check is for the different installation types like CD, nanobsd and embedded :(

Can you try another .iso image from another mirror ?

z3r0tech

@Nachtfalke:

I have some different VMs with 2.0.1 x86/x64 installs and pfsense 2.1 installs.
I can install the package on all machines from the GUI.

The parameter which indicates the version is the same as for lets say squid2 or squidguard:
<required_version>2.0</required_version>
But I am not sure where the check is for the different installation types like CD, nanobsd and embedded :(

Can you try another .iso image from another mirror ?

the url is invalid i found it here https://redmine.pfsense.org/issues/2075
https://redmine.pfsense.org/projects/pfsense/repository/revisions/c70452506a0ab84a9d72547656b516f6e61578da
i don't know how to apply the diff this is the fix…

Nachtfalke

That's not the problem why you do not get freeradius in packagemanager GUI.

If you want to use pkg_add -r then just use the complete path to pfsense server.

x86:
pkg_add -r http://files.pfsense.org/packages/8/All/freeradius-2.1.12_1.tbz

x64:
pkg_add -r http://files.pfsense.org/packages/amd64/8/All/freeradius-2.1.12_1.tbz

z3r0tech

@Nachtfalke:

That's not the problem why you do not get freeradius in packagemanager GUI.

If you want to use pkg_add -r then just use the complete path to pfsense server.

x86:
pkg_add -r http://files.pfsense.org/packages/8/All/freeradius-2.1.12_1.tbz

x64:
pkg_add -r http://files.pfsense.org/packages/amd64/8/All/freeradius-2.1.12_1.tbz

thanks! it's working now…

i tried this post to install the gui: http://forum.pfsense.org/index.php?topic=50572.0
Fatal error: Call to undefined function freeradius_install_command() in /usr/local/www/exec.php(244) : eval()'d code on line 9

any solutions?

basterik

hi all! culd any one help me to config xmlrpc sync? i print gui ip adress, password, but sync does't done

stupots

Hello,

Just tried this package for the first time today and it's great! There's just one minor problem that I would need to solve before I could use this in production. Unfortunately, I'm not a programmer, so wouldn't know where to begin…

What I would like is to have a check box that lets me enter the plaintext password for the user, but encrypts it in the /usr/local/etc/raddb/users file because otherwise any admin can view the plaintext password. To get around this on my existing Linux FreeRADIUS server, I have a small perl script as follows:

#! /usr/bin/perl -w
use strict;
use Digest::MD5;
use MIME::Base64;
unless($ARGV[0]){
 print "Please supply a password to create a MD5 hash from.\n";
 exit;
}
my $ctx = Digest::MD5->new;
$ctx->add($ARGV[0]);
print encode_base64($ctx->digest,'')."\n";

So, at the command line, to generate the MD5 password hash:

radius:~ # /root/md5pass.pl <chosen password="">
X03MO1qnZdYdgyfeuILPmQ==</chosen>

Then to use this in my users file I would use the following:

"stuart"   MD5-Password := "X03MO1qnZdYdgyfeuILPmQ=="

Anyone have any thoughts on this?

Thanks,
Stuart

z3r0tech

i found out the solution…

ok to everyone that has no freeradius2 on their package list here's the simple fix...
execute this > ./package.sh off

Nachtfalke

@basterik:

hi all! culd any one help me to config xmlrpc sync? i print gui ip adress, password, but sync does't done

Could you please explain more in detail whats your problem ?

You have freeradius-server-A and freeradius-server-B
You want to sync from A to B
On A Enable "Automatically sync freeRADIUS configuration changes?"
On A enter the protocol, the IP, the port of B
Enable the "Enable" checkbox in front of this line.
Save

That's it.

Nachtfalke

@stupots:

Hello,

Just tried this package for the first time today and it's great! There's just one minor problem that I would need to solve before I could use this in production. Unfortunately, I'm not a programmer, so wouldn't know where to begin…

What I would like is to have a check box that lets me enter the plaintext password for the user, but encrypts it in the /usr/local/etc/raddb/users file because otherwise any admin can view the plaintext password. To get around this on my existing Linux FreeRADIUS server, I have a small perl script as follows:
#! /usr/bin/perl -w
use strict;
use Digest::MD5;
use MIME::Base64;
unless($ARGV[0]){
 print "Please supply a password to create a MD5 hash from.\n";
 exit;
}
my $ctx = Digest::MD5->new;
$ctx->add($ARGV[0]);
print encode_base64($ctx->digest,'')."\n";
So, at the command line, to generate the MD5 password hash:
radius:~ # /root/md5pass.pl <chosen password="">
X03MO1qnZdYdgyfeuILPmQ==</chosen>
Then to use this in my users file I would use the following:
"stuart"   MD5-Password := "X03MO1qnZdYdgyfeuILPmQ=="
Anyone have any thoughts on this?

Thanks,
Stuart

I attached you two files. Replace them with the existing ones in /usr/local/pkg

I used example one on this page. Try if it is ok or if there is something to be changed:
http://php.net/manual/en/function.md5.php

If you want to check the code edit freeradius.inc and watch lines 394-402

–- edit ---
it seems that we do not just need a md5 encoding but after that a base64 encoding of the md5 hash. Could you please try your cript with a password and post your password here and the according hash for that ? So we could do some more tests.
or someone could explain what is done in this perl script ;o)

freeradius.inc.txt
freeradius.xml.txt

Nachtfalke

@z3r0tech:

i found out the solution…

ok to everyone that has no freeradius2 on their package list here's the simple fix...
execute this > ./package.sh off

Thank you for your feedback. It would be interesting why this is needed on some .iso images and not on others.
But it is nice to hear that it is working for you now :)

basterik

@Nachtfalke:

Could you please explain more in detail whats your problem ?

You have freeradius-server-A and freeradius-server-B
You want to sync from A to B
On A Enable "Automatically sync freeRADIUS configuration changes?"
On A enter the protocol, the IP, the port of B
Enable the "Enable" checkbox in front of this line.
Save

That's it.

yes, i do all this step and allow all trafic in firewall rule, but server don't sync, in log type:

nov 13 09:42:11 php: /pkg.php: FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout seconds.
nov 13 09:42:11 php: /pkg.php: FreeRADIUS: XMLRPC Sync with x.x.x.x has incomplete credentials. No XMLRPC Sync done!
nov 13 09:42:11 php: /pkg.php: FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync).

Nachtfalke

XMLRPC Sync with x.x.x.x has incomplete credentials

Perhaps you are using some special characters in your password which are not allowed.
Can you try a simple password like "password123" and then try again ?

It MUST be the password for the "admin" account of pfsense. no other account will work.

stupots

Hi,

Thanks for your very speedy reply. I'll try the attached files later today.

I attached you two files. Replace them with the existing ones in /usr/local/pkg

I used example one on this page. Try if it is ok or if there is something to be changed:
http://php.net/manual/en/function.md5.php

If you want to check the code edit freeradius.inc and watch lines 394-402

–- edit ---
it seems that we do not just need a md5 encoding but after that a base64 encoding of the md5 hash. Could you please try your cript with a password and post your password here and the according hash for that ? So we could do some more tests.
or someone could explain what is done in this perl script ;o)

For info, I implemented strong passwords on my Linux FreeRADIUS server based on info I found here:

http://www.packtpub.com/article/freeradius-authentication-storing-passwords

To be honest, it doesn't need to be an MD5 password but that's just the first thing I tried that worked. I was in a hurry yesterday when I posted - what I meant by "check box" was in the user creation tab, have a check box marked "encrypt password" and if selected, hash using MD5 or some other workable way.

If MD5 is the preferred option, then here are some sample hashes for you:

radius:~ # ./md5pass.pl hello
XUFAKrxLKna5cZ2REBfFkg==
radius:~ # ./md5pass.pl pfsense
OktMTd5JTSzsPg6mjkN+Fw==
radius:~ # ./md5pass.pl qwertyuiop
buqbfvGReaBpVO3Q9sBc6w==

Thanks,
Stuart

basterik

@Nachtfalke:

XMLRPC Sync with x.x.x.x has incomplete credentials
Perhaps you are using some special characters in your password which are not allowed.
Can you try a simple password like "password123" and then try again ?

It MUST be the password for the "admin" account of pfsense. no other account will work.

i using this config and i set admin password "123456", but server don't sync, I can't mistake, I set firewall that he logging packets between server, but I do not see any packet

Nachtfalke

@basterik:

@Nachtfalke:
XMLRPC Sync with x.x.x.x has incomplete credentials
Perhaps you are using some special characters in your password which are not allowed.
Can you try a simple password like "password123" and then try again ?

It MUST be the password for the "admin" account of pfsense. no other account will work.
i using this config and i set admin password "123456", but server don't sync, I can't mistake, I set firewall that he logging packets between server, but I do not see any packet

Strange. Are both systems using the same protocol and the same port ?
Can you try to set both to http and port 80.

But in general it works for me with different ports and protocols and some other users are using this, too.

Nachtfalke

@stupots:

Hi,

Thanks for your very speedy reply. I'll try the attached files later today.

I attached you two files. Replace them with the existing ones in /usr/local/pkg

I used example one on this page. Try if it is ok or if there is something to be changed:
http://php.net/manual/en/function.md5.php

If you want to check the code edit freeradius.inc and watch lines 394-402

–- edit ---
it seems that we do not just need a md5 encoding but after that a base64 encoding of the md5 hash. Could you please try your cript with a password and post your password here and the according hash for that ? So we could do some more tests.
or someone could explain what is done in this perl script ;o)

For info, I implemented strong passwords on my Linux FreeRADIUS server based on info I found here:

http://www.packtpub.com/article/freeradius-authentication-storing-passwords

To be honest, it doesn't need to be an MD5 password but that's just the first thing I tried that worked. I was in a hurry yesterday when I posted - what I meant by "check box" was in the user creation tab, have a check box marked "encrypt password" and if selected, hash using MD5 or some other workable way.

If MD5 is the preferred option, then here are some sample hashes for you:
radius:~ # ./md5pass.pl hello
XUFAKrxLKna5cZ2REBfFkg==
radius:~ # ./md5pass.pl pfsense
OktMTd5JTSzsPg6mjkN+Fw==
radius:~ # ./md5pass.pl qwertyuiop
buqbfvGReaBpVO3Q9sBc6w==
Thanks,
Stuart

Hi Stuart,

I think I got it. Then enconding in php is different than in perl but this hint gave me the reason:

If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16\.

I attached the new freeradius.inc file. Try it again with that file, check if the passwords/hashes are correct and please try if it is really working/authentication.

freeradius.inc.txt