NEW Package: freeRADIUS 2.x

skoenman

Hey guys having a funny issue…with freeradius . It doesn't want to seem to start the freeradius daemon?

marcelloc

Hey guys having a funny issue…with freeradius . It doesn't want to seem to start the freeradius daemon?

What you got on log files?

skoenman

Apr 19 06:33:17 check_reload_status: Reloading filter
Apr 19 07:42:06 check_reload_status: Syncing firewall
Apr 19 07:42:06 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 19 07:42:06 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Apr 19 07:42:09 radiusd[15668]: rlm_sql_mysql: Starting connect to MySQL server for #0
Apr 19 07:42:09 radiusd[15668]: rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius
Apr 19 07:42:09 radiusd[15668]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Failed to connect DB handle #0
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Apr 19 07:42:09 radiusd[15668]: Failed to load clients from SQL.
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Closing sqlsocket 4
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Closing sqlsocket 3
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Closing sqlsocket 2
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Closing sqlsocket 1
Apr 19 07:42:09 radiusd[15668]: rlm_sql (sql): Closing sqlsocket 0
Apr 19 07:42:09 radiusd[15668]: /usr/pbi/freeradius-i386/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
Apr 19 07:42:09 radiusd[15668]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to find "sql" in the "modules" section.
Apr 19 07:42:09 radiusd[15668]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
Apr 19 07:42:09 radiusd[15668]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
Apr 19 07:42:09 radiusd[15668]: Failed to load virtual server <default>Apr 19 07:42:23 check_reload_status: Syncing firewall
Apr 19 07:42:23 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 19 07:42:23 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Apr 19 07:42:25 radiusd[23860]: rlm_sql_mysql: Starting connect to MySQL server for #0
Apr 19 07:42:25 radiusd[23860]: rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius
Apr 19 07:42:25 radiusd[23860]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Failed to connect DB handle #0
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Apr 19 07:42:25 radiusd[23860]: Failed to load clients from SQL.
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Closing sqlsocket 4
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Closing sqlsocket 3
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Closing sqlsocket 2
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Closing sqlsocket 1
Apr 19 07:42:25 radiusd[23860]: rlm_sql (sql): Closing sqlsocket 0
Apr 19 07:42:25 radiusd[23860]: /usr/pbi/freeradius-i386/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
Apr 19 07:42:25 radiusd[23860]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to find "sql" in the "modules" section.
Apr 19 07:42:25 radiusd[23860]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
Apr 19 07:42:25 radiusd[23860]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
Apr 19 07:42:25 radiusd[23860]: Failed to load virtual server <default>Apr 19 13:16:40 php: /diag_logs.php: Session timed out for user 'admin' from: 172.22.2.170
Apr 20 03:24:36 dhclient: RENEW
Apr 20 03:24:36 dhclient: Creating resolv.conf

thats the log..im running version 2.1 of the pfsense but it doesnt start in the older version either. I dont have the captive portal active but im trying to activate sql.</default></default>

Nachtfalke

@skoenman

When using MySQL with freeradius then you need an SQL server somewhere. FR2 does not have any - it just connects to a SQL server.

Further there is a problem that the configuration is working fpr freeradius 2.1.12 which installs on pfsense 2.0.x.
On pfsense 2.1 the developers updated the package to version 2.2.0. But this version is not represented in the freeradius.inc file. I posted this twice on the mailing list but the did not update the "old" version to 2.2.0, too.

But this could be probably easily fix. Modify:

/usr/local/pkg/freeradius.inc

On lines 83 and 217.

Replace

freeradius-2.1.12

with

freeradius-2.2.0

Then restarting freeradius could do the trick and if it does not then restarting pfsense will do it.

marcelloc

I've also pushed a fix to check installed freeradius lib version. This may reduce config errors.

Nachtfalke

@Nachtfalke:

Updates pkg v1.6.7:

Added: Possibility to use pfsense's Certificate Revocation List (CRL) with freeradius. Thank you to marcelloc for the code contribution. I really appreciate that and this was I feature I would like to add a long time ago but never was able to code it.

Added: Check if freeradius version 2.1.12 is used or 2.2.0. Thanks again to marcelloc.

Removed: Unneeded possibility to export Client.p12 file from FR2 - EAP GUI. This can be done much more comfortable from pfsense Cert Manager.

Known bugs:

When using "stop/start accounting on CP then "Amount of Time/Amount of Traffic" isn't working correctly.
http://redmine.pfsense.org/issues/2164

When using CP + RADIUS + Vouchers and "reauthenticate every minute" is enabled then CP sends the voucher as username to RADIUS. This causes RADIUS to disconnect the "user/voucher" because of an unknown/wrong "username".
http://redmine.pfsense.org/issues/2155

When stop/start accounting on CP is enabled than the syslog shows many "wrong order" or "Login found bot no logout detected". This seems to not affect the usage of RADIUS but it is not 100% correct.
http://redmine.pfsense.org/issues/2143

skoenman

how fast will that update show in the snapshot???i see its in the github ??

marcelloc

@skoenman:

how fast will that update show in the snapshot???i see its in the github ??

The code is already pushed, just reinstall the package to get these fixes.

skoenman

eish dont know if im doing something wrong but it looks a bit better but still no sql…I do see its still trying to connect to localhost even that I set it to ip of sql server.

Apr 20 20:45:37 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 20 20:45:37 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Apr 20 20:45:39 radiusd[21851]: rlm_sql_mysql: Starting connect to MySQL server for #0
Apr 20 20:45:39 radiusd[21851]: rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius
Apr 20 20:45:39 radiusd[21851]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Failed to connect DB handle #0
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Apr 20 20:45:39 radiusd[21851]: Failed to load clients from SQL.
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 4
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 3
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 2
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 1
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 0
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to find "sql" in the "modules" section.
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
Apr 20 20:45:39 radiusd[21851]: Failed to load virtual server <default></default>

Nachtfalke

@skoenman
there was a small typo in the freeradius.inc file. Try to reinstall the package and please try again.

athurdent

I have successfully setup WPA2 Enterprise with EAP-TLS. Is there a way to create a user, that is not allowed to login with a password? I just want to use certificates and I have noticed that I can login (via MSCHAPv2 I guess) without certificates by just providing the user/password combo I created. Leaving the password entry empty allows the user to login without any password, so that is not an option.
For a test, I removed "Cleartext-Password :=" leaving just the username in the file "users". That seems to prevent the user from logging in with an empty password while still allowing login using certificates.
Is there a more elegant way to do this? Don't know if it is a supported option to just put a user in "users" without any option afterwards. But if it was, could it be made an option in the in users sections of the freeradius2 package?

Nachtfalke

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration

Try with the docs. Disable weak EAP types. enable check cert user.

athurdent

@Nachtfalke:

http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration

Try with the docs. Disable weak EAP types. enable check cert user.

Thanks for the quick answer, I used the wiki for my initial setup some time ago.
I'm sorry if I overlooked something, but I cannot find "check cert user", do you mean "Check Client Certificate CN"? That is already checked.
I found out that I can delete the user completely and still login via EAP-TLS when no user is defined. It seems any certificate issued by the pfSense internal CA is vaild for login now, even though I selected a specific cert in "CERTIFICATES FOR TLS" for "SSL Client Certificate". Cannot find any reference to that cert in eap.conf, though. Where would that client cert be found?
Here are my settings:

Screenshot_1.png_thumb

Screenshot_2.png_thumb

Screenshot_3.png_thumb

Screenshot_4.png_thumb

Nachtfalke

@athurdent
I just posted the docs to make sure you found the information there.

In general EAP-TLS works without username and password. If the client has a valid client certificate which matches the CA on the freeradius server then the authentication will work.

If you enable "Check Client Certificate CN" then the common name of the client certificate must match the username (and password) in the users file. If you disable "Check Client Certificate CN" then the users file will not be checked.

On the GUI screenshots you posted there is something which shouldn't be there and confuses people in the past. I updated that yesterday and forget something which I removed right now. Reinstall the packages "GUI" and it will remove useless "SSL Client Certificate". (This was a kind of export feature which is useless and can be done from SYSTEM –> Cert Manager --> Certificate --> Download .p12)

The only certificates you need to enter on the freeradius GUI is the CA and the server certificate. Client certificate must be copied to your WLAN client. Perhaps try with a new client certificate and remove the old one from your machine or create a complete new CA and server certificate and client certificate.

If you like to read more about "Check Client Certificate CN" then google for "check_cert_cn" which is the configuration line on freeradius eap.conf file. I do not find to much on the web.

Hope this will help you!

skoenman

Guys got the freeradius to run…now i added a user with password but it wasnt addded to the db what could be the problem???sql db???it doesnt give any errors in the logs and connects fine...does pfsense update the username and password into the db and if so how often???

edit i have whmcs creating the username and password but need to import it into pfsense???

Nachtfalke

@skoenman:

Guys got the freeradius to run…now i added a user with password but it wasnt addded to the db what could be the problem???sql db???it doesnt give any errors in the logs and connects fine...does pfsense update the username and password into the db and if so how often???

edit i have whmcs creating the username and password but need to import it into pfsense???

Hi,
nice to hear that it is running now.

If you are using mysql as database for authentication then you need to put the usernames and passwords into the mysql database. Do this with phpmyadmin or something else.
If you add a user on "FreeRADIUS –> Users" then the users will not be stored on the database they will be stored in the local users file.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL

skoenman

so at this stage theres no way to sync local db to mysql db???

Nachtfalke

@skoenman:

so at this stage theres no way to sync local db to mysql db???

No, that's not the intention.

If you want to use redundancy then you must use 2 SQL databases and use the loadbalance functions.

athurdent

@Nachtfalke:

If you enable "Check Client Certificate CN" then the common name of the client certificate must match the username (and password) in the users file. If you disable "Check Client Certificate CN" then the users file will not be checked.

Thanks for the quick answer and fixing the package!
Regarding "check_cert_cn": I think the client certificate CN only has to match the username you send in your radius request, the users file does not seem to be parsed at all. Like I said, I currently have an empty users file, have enabled "Check Client Certificate CN" and I can login with my wlan cert.
Post no 2 in this link seems to confirm this:
http://www.linuxhorizon.com/1-unix/30bd220de93c4195.htm

If you think that is correct and not just specific to my setup, maybe the wiki entry for EAP-TLS should be flagged with a warning that adding a user and password to "users" also allows logins without cert and just username/password?

Anyway, many thanks again, I am happy with my setup now as no one is allowed to login via username/password. And if a cert needs to be blocked, I just revoke it using that nice new CRL option ;)

Nachtfalke

@athurdent
What you say seems to be correct. In general you just allow authentication methods on the server configuration which you really want to use. The package ist not as flexible as a config file which you can edit with a text editor.

So if you mix authentication methods like some clients should use EAP-TLS, others just username/password, this could have unwanted side effects.

Perhaps this could be something for the future freeradius packages :-)