[SOLVED] Freeradius doesn't start after a pfsense 2.4.4 fresh install and restored previous config.

jimp

If you make a change in the FreeRADIUS settings and save, nothing is logged?

The FreeRADIUS package is the same on 2.4.3 and 2.4.4, there shouldn't be any differences there.

You might try removing the FreeRADIUS package, and then adding it back in. You should not need to make any changes to your settings.

sisko212

i am an idiot... if I had read better all installation logs of the package, I would have solved immediately.
Package is changed or someting related... and then it requires:

1. To enable FreeRADIUS, put the following line in /etc/rc.conf
   radiusd_enable="YES"

2. To start the server in normal (daemon) mode, run:
   /usr/local/etc/rc.d/radiusd start

I have to try if freeradius survive at boot, but at least is working now.

NogBadTheBad

@sisko212 said in [SOLVED] Freeradius doesn't start after a pfsense 2.4.4 fresh install and restored previous config.:

i am an idiot... if I had read better all installation logs of the package, I would have solved immediately.
Package is changed or someting related... and then it requires:

1. To enable FreeRADIUS, put the following line in /etc/rc.conf
   radiusd_enable="YES"

2. To start the server in normal (daemon) mode, run:
   /usr/local/etc/rc.d/radiusd start

I have to try if freeradius survive at boot, but at least is working now.

Do you ?

My install seems to work fine and my rc.conf reads:-

# THIS FILE DOES NOTHING, DO NOT MAKE CONFIG CHANGES HERE

# -- BEGIN BSD Installer automatically generated configuration  -- #
# -- Written on Sun Apr 9 16:43:20 UTC 2017-- #
dumpdev='/dev/ada0s1b'
dumpdir='/var/crash'
# -- END of BSD Installer automatically generated configuration -- #

jimp

You do not need to put that entry in rc.conf or anywhere else. The package sync process will start it automatically.

sisko212

I don't know what to think...
I agree, usually rc.conf should not be edited, but i just readed better all logs while package reinstallation... here its log:

Message from freeradius3-3.0.17:

===============================================================================

To enable FreeRADIUS, put the following line in /etc/rc.conf

radiusd_enable="YES"

The sample configuration can be found at
/usr/local/share/examples/freeradius/raddb

If you are upgrading FreeRADIUS, you are advised to use this as a reference
for updating your configuration.

FreeRADIUS will look for its configuration directory at
/usr/local/etc/raddb by default.

If you did not already have a configuration at this location, the sample
configuration has been copied to this location and has been bootstrapped.

If you wish to point FreeRADIUS to a configuration at a different
location, put the following line in /etc/rc.conf

radiusd_flags="-d /path/to/raddb"

To start the server in normal (daemon) mode, run:

/usr/local/etc/rc.d/radiusd start

and to stop the server, run:

/usr/local/etc/rc.d/radiusd stop

To start the server in debugging mode, run:

/usr/local/etc/rc.d/radiusd debug

You are advised to make cautious changes to the configuration, and to test
frequently, using debugging mode where necessary. Try to resist the
temptation to disable or delete things that you don't understand - you may
well break things!

Useful configuration advice can be found in the FreeRADIUS Wiki at
http://wiki.freeradius.org

===============================================================================
Message from pfSense-pkg-freeradius3-0.15.5_3:

Please visit Services > FreeRADIUS menu to configure the package.

EAP certificate configuration is required before using the package.
Visit System > Cert. Manager and create a CA and a server certificate.
After that, visit Services > FreeRADIUS > EAP tab and complete
the 'Certificates for TLS' section (and, optionally, also the 'EAP-TLS' section.)

Cleaning up cache... done.
Success

jimp

That output is from the FreeBSD package, it isn't relevant to pfSense, but it can't (easily) be suppressed.

The only part you need to pay attention to is the "Message from pfSense-pkg-freeradius3 ..." section.

sisko212

I did another fresh install (i have two identical hardware for backup and testing purpose) of pfsense 2.4.4.
Then restored my previous config file, and also for this new installation, freeradius did not start from gui.
I had no logs from /var/log/radiusd (even enabled on gui config) neither from gui Status -> System Logs.
This time, without any modification on /etc/rc.conf, i just send, by ssh console, an
/usr/local/etc/rc.d/radiusd start
And daemon has started normally and /var/log/radiusd was filled with all infos.
From now, looks even from gui, the service can be stopped and started.
So, related to my previous post, perhaps the key was not the /etc/rc.conf modification, but just once starting freeradius service by console.

jimp

Curious. I have FreeRADIUS installed on maybe half a dozen test systems here and it automatically starts on all of them.

Do you see any errors on the console or in the logs at boot time about FreeRADIUS?

sisko212

@jimp unfortunately not... no errors, no logs, nothing, just the status icon stays red, on Status -> Services section

Gertjan

Hi,

When freeradius is stopped, use the console, option 8, and enter

radiusd -X

All logging will be done to the console - you'll be seeing errors if they exist.

jimp

@sisko212 said in [SOLVED] Freeradius doesn't start after a pfsense 2.4.4 fresh install and restored previous config.:

@jimp unfortunately not... no errors, no logs, nothing, just the status icon stays red, on Status -> Services section

So it didn't start even if you clicked the start button on Status > Services?

But after you started it manually once from the command line, it works every time now?

I'll have to setup a fresh install VM and see if I can replicate it that way. Perhaps mine work because they're already configured.

sisko212

So it didn't start even if you clicked the start button on Status > Services?

right..

But after you started it manually once from the command line, it works every time now?

right again..

I'll have to setup a fresh install VM and see if I can replicate it that way. Perhaps mine work because they're already configured.

Ok thanks... if can helps, my pfsense is installed to a zfs pool mirrored to 2 ssd.
Let me know, if you need more details about hardware i am using... or, if you need, i will try to send you my config file... just i will try to remove users passwords and certificates sections from it

dddave

Hi all,

I just upgraded freeradius3 package to version 0.15.5_4 running on APU hardware with pfsense build: 2.4.4-RELEASE.

It's been running pretty much rock solid for years... (should not have upgraded! :( ).

I need guidance on where to look to help diagnose this please??? :(

Previously after the last update I had to manually re-start after a boot up -> now I cannot manually start, and I cannot see any logs in the radius.log file under /var/log? No errors in any of the system logs. Is this a temporary issue that anyone is aware of? Its been pretty rock stable until now. Re-installation of the package / changing a few settings or rolling config back config has not helped. Cannot get the service to boot. Does this ring any bell's / idea's from anyone? Luckily it only handles Wireless authentication, so we have 1 SSID I can use that is rate limited that doesn't use it - so the family "may not notice" - but I'm a tad surprised as I know some big names use PFSense, for various elements.

Where may I find more log information to help break the root cause down?

Thanks in advance - please link to other posts if I couldn't find them - or advise if this is already know / in pending merges.

David

dddave

And yes - sorry I know the package is third party - please advise where to post if this is not suitable - but it doesn't help the brand, as many consumers will see it as part of the PFSense brand.

juruteknik

hi dddave, please share the output of radiusd -X

i have same problem here

strangegopher

Same issue here.

radiusd -X show:

Errors reading /usr/local/etc/raddb/dictionary: dict_init: /usr/local/etc/raddb/dictionary[6] invalid entry

/usr/local/etc/raddb/dictionary :

# Local dictionary, does not need to include the master dictionary
ATTRIBUTE               MOTP-Init-Secret                900     string
ATTRIBUTE               MOTP-PIN                        901     string
ATTRIBUTE               MOTP-Offset                     902     string

 /usr/share/doc/radius/dictionary.pfsense

edit: removing the last line fixes the issue. also changing the last line to be this works

$INCLUDE /usr/share/doc/radius/dictionary.pfsense

Now a reboot will remove this fix.

edit2: created bug report - https://redmine.pfsense.org/issues/8989

RikkertJ

@strangegopher that seems to resolve the issue. Thank you!

sisko212

@strangegopher I can confirm your workaround. This fix the issue.

free4

@dddave @juruteknik @strangegopher @RikkertJ and @sisko212
I appologize for this problem, this is my fault. I am an occasional contributor to pfSense and it's me who caused this issue.

I submited a pull request to fix the issue ( https://github.com/pfsense/FreeBSD-ports/pull/579 ). I hope it will be merged fast.

Gertjan

@strangegopher said in [SOLVED] Freeradius doesn't start after a pfsense 2.4.4 fresh install and restored previous config.:

Same issue here.
edit: removing the last line fixes the issue. also changing the last line to be this works

$INCLUDE /usr/share/doc/radius/dictionary.pfsense

Now a reboot will remove this fix.
edit2: created bug report - https://redmine.pfsense.org/issues/8989

Edit (only) this file : /usr/local/pkg/freeradius.inc
Line 3666
Change

$INCLUDE /usr/share/doc/radius/dictionary.pfsense

for

\$INCLUDE /usr/share/doc/radius/dictionary.pfsense

Escaping the $ (adding a backslash in front) and "$INCLUDE" will be included literally.
Now the patch will persists after rebooting.

Btw : to apply the edit : reboot !

edit : @free4 : look at the source, it's just the backslash that is missing. Instead of reverting your PL, add another PL and done ^^