Unable to authenticate even using radtest using freeRADIUS

Snailkhan

hi
i am on 2.2.5
installed freeradius
tried to configure it using below article

http://hubpages.com/technology/How-to-Set-Up-a-Radius-Server-on-pfSense-Using-the-FreeRadius-Package

as i wanted to use it with my ddwrt router but it didnt worked.

so i wanted to follow below to do a test if its working locally on pfsense but it isnt .

Testing the Service With Radtest

The radius package includes a utility called Radtest which can be used to test the service to determine if it is working correctly.

Radtest is handy because it allows you to determine if authentication is working before you reconfigure any devices on the network.

Steps for running the test

Add an interface with the IP address of 127.0.0.1.
Set the interface type to 'Auth' , use the default port (1812).
Add a client/NAS with the IP of 127.0.0.1 and the shared secret 'test'.
Create a test user account on the users tab.
Log into pfSense via SSH or use the command prompt feature in the diagnostics menu.
Run the command below, replacing <username>, and <password>with the credentials you assigned.
radtest <username><password>127.0.0.1:1812 0 test

If the test is successful you should see the message "rad_recv: Access-Accept".</password></username></password></username>

using the test i get below message

[2.2.5-RELEASE][admin@sed.local]/root: radtest test testpw 127.0.0.1:1812 0 test
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "testpw"
NAS-IP-Address = 192.168.4.10
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "testpw"
NAS-IP-Address = 192.168.4.10
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Request of id 250 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "testpw"
NAS-IP-Address = 192.168.4.10
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
radclient: no response from server for ID 250 socket 3

i see below logs in system log

Nov 23 00:36:16 radiusd[70734]: Failed to load virtual server <default>Nov 23 00:36:16 radiusd[70734]: /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
Nov 23 00:36:16 radiusd[70734]: /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
Nov 23 00:36:16 radiusd[70734]: /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
Nov 23 00:36:16 radiusd[70734]: rlm_eap: Failed to initialize type tls
Nov 23 00:36:16 radiusd[70734]: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem
Nov 23 00:36:16 radiusd[70734]: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
Nov 23 00:35:46 radiusd[52602]: Failed to load virtual server<default></default></default>

also the service for freeradius is down and cannot start it

and when i do
radiusd -X

it shows a long list of text and there i see something strange

}
radiusd: #### Loading Virtual Servers ####
server { # from file ▒濿A
modules {
Module: Creating Auth-Type = MOTP
Module: Creating Auth-Type = digest
Module: Creating Autz-Type = Status-Server
Module: Creating Acct-Type = Status-Server
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {…} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}

Snailkhan

after a lot of searching found this thread

https://forum.pfsense.org/index.php?topic=86158.msg573823#msg573823

i am quoting my reply from that quote here .
i also faced similar issue in freeradius2 installation and somehow managed to install it as mentioned below.
but i cannot start its service ..
when i check system logs i see below

Nov 23 23:06:43 root: /usr/pbi/freeradius-i386/local/etc/rc.d/radiusd: WARNING: run_rc_command: cannot run /usr/local/sbin/radiusd
Nov 23 23:05:58 root: /usr/pbi/freeradius-i386/local/etc/rc.d/radiusd: WARNING: run_rc_command: cannot run /usr/local/sbin/radiusd
Nov 23 23:05:32 check_reload_status: Reloading filter
Nov 23 23:05:30 php-fpm[85699]: /pkg_mgr_install.php: Successfully installed package: freeradius2.
Nov 23 23:05:30 check_reload_status: Syncing firewall
Nov 23 23:05:27 php-fpm[85699]: /pkg_mgr_install.php: FreeRADIUS: Creating backup of the original file to /usr/pbi/freeradius-i386/local/etc/raddb/files.backup
Nov 23 23:05:27 php-fpm[85699]: /pkg_mgr_install.php: FreeRADIUS: Creating backup of the original file to /usr/pbi/freeradius-i386/local/etc/raddb/policy.conf.backup
Nov 23 23:05:02 check_reload_status: Syncing firewall
Nov 23 23:04:57 php-fpm[85699]: /pkg_mgr_install.php: Beginning package installation for freeradius2 .

@bfeitell:

After banging on this for most of the day on a 4GB x86_64 nanobsd install I finally managed to get freeradius2 to install.

I manually deleted the prior bad remnants by deleting /usr/pbi/freeradius-amd64

Something is weird here because I had to manually dig down through the directory tree to delete everything.

I then deleted /usr/local/pkg/freeradius.xml (there was no freeradius.inc file after failed attempts to intall via GUI).

I then downloaded the latest platform specific freeradius package from https://files.pfsense.org/packages/10/All/ using fetch at the command line.

I then installed the package at the command line forcing a verbose install using (in my platform specific case) pbi_add -v -f freeradius-2.2.6_3-amd64.pbi

The install completed successfully, but the package did not appear as installed in the installed package GUI, or in the menus.

I then reinstalled the package from "available packages", and the missing bits all fell into place.

The odd bit for me is that I have freeradius installed on three other boxes I administer, one of which is completely identical, although all of them had the package installed several revisions ago with respect to both pfsense 2.2.

I hope this helps someone else.

Cheers,
Bennett

johnpoz

why would you follow some guide from 2012?? Installing the package is really click click..

Are you running a nano image??

Snailkhan

@johnpoz:

why would you follow some guide from 2012?? Installing the package is really click click..

Are you running a nano image??

i though someone would say "letmegoogleitforyou" so i did it myself and followed it after verifyign how packages are instaled on pfsense using command line . since it was official pbi file and using command line i though i would be able to see where it exactly gets stuck.. but using command line all was installed but couldnt start it..

now i switched the slice (since running nano bsd) and i am getting error as in original post . so far i tried reinstalling the package .. removing and installing again .. but no luck . duly rebooted after each step..

Nov 25 01:22:24 php-fpm[20556]: /index.php: Successful login for user 'admin' from: 192.168.4.123
Nov 25 01:22:24 php-fpm[20556]: /index.php: Successful login for user 'admin' from: 192.168.4.123
Nov 25 01:22:15 php-fpm[20556]: /index.php: webConfigurator authentication error for 'admin' from 192.168.4.123
Nov 25 01:22:15 php-fpm[20556]: /index.php: webConfigurator authentication error for 'admin' from 192.168.4.123
Nov 25 01:17:06 php-fpm[97165]: /rc.start_packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Nov 25 01:17:05 radiusd[16280]: Failed to load virtual server <default>Nov 25 01:17:05 radiusd[16280]: /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
Nov 25 01:17:05 radiusd[16280]: /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
Nov 25 01:17:05 radiusd[16280]: /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
Nov 25 01:17:05 radiusd[16280]: rlm_eap: Failed to initialize type tls
Nov 25 01:17:05 radiusd[16280]: rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pem
Nov 25 01:17:05 radiusd[16280]: rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
Nov 25 01:17:05 php-fpm[97165]: /rc.start_packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Nov 25 01:17:04 php-fpm[97165]: /rc.start_packages: Restarting/Starting all packages.
Nov 25 01:17:03 check_reload_status: Reloading filter</default>

besides when i run radius -X
i get below errors

}
rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex: bad decrypt
rlm_eap_tls: Error reading private key file /usr/local/etc/raddb/certs/server.pe m
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "mo dules" section.
/usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate sec tion.

for above errors
i found this thread
https://forum.pfsense.org/index.php?topic=58901.0

where it mentions

From: http://freeradius.1045715.n5.nabble.com/trouble-seting-up-freeradius-td2768016.html
Straight answer: Password you put in the configuration file of eap.conf have to be same the as the password used to create the private key.

but i dont know what password is it being talked about ?
i did created a ca and i do not remember supplying password to it.

also what is the gibberish text in radiusd -X output

Snailkhan

i did factory default of pfsense and restored using the configuration file exported earlier via builtin backup/restore ..
but after restore same isssue .. as in just above update..

Please help

doktornotor

Stop restoring broken configuration, perhaps. There's no such nonsense needed to get FreeRADIUS working really. If you followed some god knows what 3+years old howto, simply restart from scratch.

Snailkhan

@doktornotor:

Stop restoring broken configuration, perhaps. There's no such nonsense needed to get FreeRADIUS working really. If you followed some god knows what 3+years old howto, simply restart from scratch.

i do not see that guide as invalid ..

so is there anyway to reset the configs of freeradius to default ?

doktornotor

Yeah. Edit the stuff out of config.xml backup and restore it.

johnpoz

What nano version do you have installed the 4GB one?

If freerad doesn't start its never going to work.. Really all you should have to do is click click to install the package.. I would have to fire up a copy of the nanobsd image to see if that has issues with installing the package? If I get a chance to convert it to a vmdk I will boot it on my vm host and see if installs the package ok, etc.

johnpoz

Ok, so I converted the img to vmdk, created a 64bit freebsd vm.. Added the disk, booted.. Ran through the config wizard. Click Click on the freerad2 package.. Created an interface, bing bang zoom up and running.

Where in that guide does it have you create the nas/client for your host? You have it listen on 127.0.0.1 (loopback) what IP are you talking from If you went through that guide blind did and not understanding what you were actually doing and just put in 192.168.10.253 like the guide not going to work.. And again if the service never start its never ever going to work..

freeradonnano.png_thumb

authworking.png_thumb

Snailkhan

@johnpoz:

Ok, so I converted the img to vmdk, created a 64bit freebsd vm.. Added the disk, booted.. Ran through the config wizard. Click Click on the freerad2 package.. Created an interface, bing bang zoom up and running.

Where in that guide does it have you create the nas/client for your host? You have it listen on 127.0.0.1 (loopback) what IP are you talking from If you went through that guide blind did and not understanding what you were actually doing and just put in 192.168.10.253 like the guide not going to work.. And again if the service never start its never ever going to work..

Immense thanks for your replies .
yes i am on nanobsd 4gb image. 2gb ram. 32bit one.
ip addressing were obviously as per my setup when i tried to follow that article.

i configured nas for my AP but that was not working.

i also setup nas for loopback and tried to test as they said in that article but it wont work .

i only later found that the service was not runing.

it seems that configs are having some issue.

i will try to remove freeradius configs from backuped xml file and will try again Factory defaulting it and restoring with modified backuped file.

Also is it necessary to factory default befor restoring the modified configs ? i mean is a restore overwrite function or a merge ?

Snailkhan

@johnpoz:

What nano version do you have installed the 4GB one?

If freerad doesn't start its never going to work.. Really all you should have to do is click click to install the package.. I would have to fire up a copy of the nanobsd image to see if that has issues with installing the package? If I get a chance to convert it to a vmdk I will boot it on my vm host and see if installs the package ok, etc.

i have installed / uninstalled alot of times.

here is a log for reinstal which completes with sucess but cannot start service.

Removing freeradius2 components…
Tabs items... done.
Menu items... done.
Services... done.
Loading package instructions...
Deinstall commands... done.
Removing package instructions...done.
Auxiliary files... done.
Package XML... done.
Configuration... done.
Beginning package installation for freeradius2 .
Downloading package configuration file... done.
Saving updated package information... done.
Downloading freeradius2 and its dependencies...
Checking for package installation... Loading package configuration... done.
Configuring package components...
Loading package configuration... done.
Additional files... done.
Loading package instructions...
Custom commands...
Executing custom_php_install_command()...done.
Executing custom_php_resync_config_command()...done.
Menu items... done.
Integrated Tab items... done.
Services... done.
Writing configuration... done.

Package reinstalled.

logs for removal/installaiton wil be posted.

Snailkhan

I formated the thumb drive.
Using Rufus copied the 32bit nano bsd 4gb 2.2.5
Booted it.

Configured interfaces. Changed tmp and var sizes to 250mb.
System is 2gb ram and 1.6ghz1.6ghz atom n270

Tried to install free radius and after half hour still hanged / stuck at extracting imageimage.
What's doing this? I had been running snort on it and it was working flawlessly once setup.. And was blocking attackes and I had tuned that…

Now no extra package is installed. Also in all of my above tastings though snort was installed but it was disabled on interfaces..

Update :

Accessed pfsense gui from another system. Freeradius is not appearing in ui

But I tried the same image in VMware workstation and it worked perfectly.

Now it certainly is local system issue but no idea what is it.

I have 4gb Kingston usb write speed 7-8 MBps.

In VMware I dd ed the image to a16 gb vmdk harddisk

I should have made it 4gb so that after installation of all required packages I could have dded it to my usb..

For that I need to make sure my vmdk size matches that of usb..

johnpoz

"In VMware I dd ed the image to a16 gb vmdk harddisk"

In vm if your using the nano, why would you make it a larger disk.. I just did a convert on the img to vmdk via v2v software.. Booted it.. Not sure why you think you need to change tmp and var sizes??

usb of 7-8MBps?? Uggghhh that is slow… that is not even USB 2 speeds..

Snailkhan

update:

yesterday i saw an update for freeradius and i reinstaleld it and now all is working.. strange issue …