Captive Portal Error
-
@aysman Please update FreeRADIUS pkg to the latest version
see https://redmine.pfsense.org/issues/11054#note-4 -
@viktor_g said in Captive Portal Error:
https://redmine.pfsense.org/issues/11054#note-4
Hi @viktor_g Thanks for your reply. I'm already using the latest version 0.15.7_27 from the pfsense package list
-
To see all the details, also why thing go wrong :
Stop Radius in the GUI.
Open a console or SSH, option 8.
Typeradiusd -X
Enjoy.
-
Hi @gertjan Here's the debug log i got
Ready to process requests
(0) Received Access-Request Id 98 from 172.16.100.1:12399 to 172.16.100.1:1812 length 162 (0) Service-Type = Login-User (0) User-Name = "SERVO" (0) User-Password = "SERVO" (0) NAS-IP-Address = 172.16.100.1 (0) NAS-Identifier = "CaptivePortal-guestwifi" (0) Calling-Station-Id = "a2:e2:c9:cb:1b:d5" (0) Called-Station-Id = "00:e0:4c:62:fa:80:ServoOffice.firewall.ph" (0) NAS-Port-Type = Ethernet (0) NAS-Port = 2018 (0) Framed-IP-Address = 172.16.100.2 (0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (0) authorize { (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "SERVO", skipping NULL due to config. (0) [suffix] = noop (0) ntdomain: Checking for prefix before "\" (0) ntdomain: No '\' in User-Name = "SERVO", skipping NULL due to config. (0) [ntdomain] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) if ((notfound || noop) && (&control:Auth-Type != Accept)) { (0) ERROR: Failed retrieving values required to evaluate condition (0) dailycounter: WARNING: Couldn't find check attribute, control:Max-Daily-Session, doing nothing... (0) [dailycounter] = noop (0) monthlycounter: WARNING: Couldn't find check attribute, control:Max-Monthly-Session, doing nothing... (0) [monthlycounter] = noop (0) noresetcounter: WARNING: Couldn't find check attribute, control:Max-All-Session, doing nothing... (0) [noresetcounter] = noop (0) expire_on_login: WARNING: Couldn't find check attribute, control:Expire-After, doing nothing... (0) [expire_on_login] = noop (0) if (&request:Calling-Station-Id == &control:Calling-Station-Id) { (0) ERROR: Failed retrieving values required to evaluate condition (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) redundant sql { (0) sql1: EXPAND .query (0) sql1: --> .query (0) sql1: Using query template 'query' rlm_sql (sql1): Reserved connection (1) (0) sql1: EXPAND %{User-Name} (0) sql1: --> SERVO (0) sql1: SQL-User-Name set to 'SERVO' (0) sql1: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql1: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'SERVO', 'SERVO', 'Access-Reject', '2021-02-09 14:55:43') (0) sql1: EXPAND /var/log/sqltrace.sql (0) sql1: --> /var/log/sqltrace.sql (0) sql1: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'SERVO', 'SERVO', 'Access-Reject', '2021-02-09 14:55:43') (0) sql1: SQL query returned: success (0) sql1: 1 record(s) updated rlm_sql (sql1): Released connection (1) (0) [sql1] = ok (0) } # redundant sql = ok (0) attr_filter.access_reject: EXPAND %{User-Name} (0) attr_filter.access_reject: --> SERVO (0) attr_filter.access_reject: Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) [eap] = noop (0) policy remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) { (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else { (0) [noop] = noop (0) } # else = noop (0) } # policy remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Login incorrect (Failed retrieving values required to evaluate condition): [SERVO/SERVO] (from client ServoOffice.firewall.ph port 2018 cli a2:e2:c9:cb:1b:d5) (0) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sent Access-Reject Id 98 from 172.16.100.1:1812 to 172.16.100.1:12399 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 98 with timestamp +21 Ready to process requests
-
This is the part you should look up :
@aysman said in Captive Portal Error:
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is availableBtw : The mysql communication works.
-
Hi @gertjan
Yes, I think Mysql Integration works too. I've tried to google that error message but haven't found any solid resolution yet. My other pfsense + radius + mysql deployments with the exact same config works only this particular version of freeradius package encounters this error -
Another one :
@aysman said in Captive Portal Error:
ERROR: Failed retrieving values required to evaluate condition
this is the one where the user is found / identified, when I'm seeing this :
(17) eap: No EAP-Message, not doing EAP
(17) [eap] = noop
(17) files: users: Matched entry DEFAULT at line 1
(17) files: users: Matched entry x at line 388
(17) [files] = okInstead of your :
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noopI'm using the GUI Package > FreeRADIUS : Users > Users page to enter my users.
You are using, I guess, something diffferent ?
It looks like Freeradius can't access you 'list with users'. -
@gertjan I'm Using MySQL as database that contain my list of users including user attributes. Not an expert reading these logs correct me if Im wrong, but from what I understand is that freeradius is "ignoring" the myqsl connection for the users
-
Hi @gertjan just to counter check, I tried using freeradius3 + MySQL as backend hosted in my ubuntu server then configure pfsense captive portal to authenticate users to my external freeradius server, everything works fine.
-
@aysman Try to create 'dumb' user on the FreeRADIUS / Users page and check again with
radiusd -X
-
That's what I'm using :
FreeRadius 0.15.7_27 and a MariaDB (== a mysql variant) on a server on my LAN to authentify captive portal users.I never used this :
@viktor_g said in Captive Portal Error:
Try to create 'dumb' user on the FreeRADIUS / Users page and check again with radiusd -X
Info : This "dumb" user will get stored in a file /usr/local/etc/raddb/mods-config/files/authorize (not the database).
-
@aysman Please check this:
killall radiusd
- open
/usr/local/etc/raddb/sites-enabled/default
and replaceif ((notfound || noop) && (&control:Auth-Type != Accept)) {
withif ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
- run
radiusd -X
and check authentication again
-
This works ..... but :
I had to :# files # if ((notfound || noop) && (&control:Auth-Type != Accept)) { if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
=> I exclude 'files' altogether.
Now the 'radcheck' table is questionned :(0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) EXPAND %{%{Control:Auth-Type}:-No-Accept} (0) --> No-Accept (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> TRUE (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) redundant sql { (0) sql1: EXPAND %{User-Name} (0) sql1: --> test (0) sql1: SQL-User-Name set to 'test' rlm_sql (sql1): Reserved connection (1) (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (0) sql1: User found in radcheck table (0) sql1: Conditional check items matched, merging assignment check items (0) sql1: Cleartext-Password := "test" (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id rlm_sql (sql1): Reserved connection (2) rlm_sql (sql1): Released connection (2) (0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql1: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (0) sql1: User not found in any groups rlm_sql (sql1): Released connection (1) (0) [sql1] = ok (0) } # redundant sql = ok (0) if (notfound || noop) { (0) if (notfound || noop) -> FALSE (0) } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) = ok
I had a 'test' user set up :
With
files
in place,
yourif ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))
yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).
-
@gertjan said in Captive Portal Error:
With
filesin place,
your
if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).This is correct because it finds the "test" user in the
files
backend.
It checksfiles
,sql
andldap
backends sequentially.Redmine issue created: https://redmine.pfsense.org/issues/11388
-
@viktor_g said in Captive Portal Error:
This is correct because it finds the "test" user in the files backend.
I did not (do not) have a 'test' user set up in the pfSense GUI - only in the 'radcheck' MYSQL table.
Done on purpose, to see if the auth would fall through to 'radcheck testing' if no result was found in the 'files' (pfSense GUI).
-
@gertjan in this case it should bypass
files
backend,
my test (raduser1
inldap
backend,test1
user infiles
backend) with this patch:raduser1 (ldap):
(0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) EXPAND %{%{Control:Auth-Type}:-No-Accept} (0) --> No-Accept (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> TRUE (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) if (true) { (0) if (true) -> TRUE (0) if (true) { (0) redundant { rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=raduser1) (0) ldap: Performing search in "cn=accounts,dc=pand,dc=int" with filter "(uid=raduser1)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "uid=raduser1,cn=users,cn=accounts,dc=pand,dc=int" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 4 more connections to reach min connections (5) rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = ok
test1 (files):
1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry test1 at line 2 (1) [files] = ok (1) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (1) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> FALSE rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [forever] = noop (1) if (&request:Calling-Station-Id == &control:Calling-Station-Id) { (1) ERROR: Failed retrieving values required to evaluate condition (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = updated (1) } # authorize = updated
-
-
@gertjan Yes, but it uses the same logic (see
/usr/local/etc/raddb/sites-enabled/default
)files
+ldap
:if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { ### sql DISABLED ### if (true) { redundant { ldap # this line adds ldap2 when activated ### ldap2 disabled ### } if (notfound || noop) { reject } } }
files
+sql
:if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { redundant sql { sql1 ### sql2 DISABLED ### } if (notfound || noop) { ### ldap ### if (notfound || noop) { reject } } }
-
@viktor_g Already tested this, Its working just fine with no errors
-