Captive Portal Error

AYSMAN

Hi @gertjan
Yes, I think Mysql Integration works too. I've tried to google that error message but haven't found any solid resolution yet. My other pfsense + radius + mysql deployments with the exact same config works only this particular version of freeradius package encounters this error

Gertjan

Another one :

@aysman said in Captive Portal Error:

ERROR: Failed retrieving values required to evaluate condition

this is the one where the user is found / identified, when I'm seeing this :

(17) eap: No EAP-Message, not doing EAP
(17) [eap] = noop
(17) files: users: Matched entry DEFAULT at line 1
(17) files: users: Matched entry x at line 388
(17) [files] = ok

Instead of your :

(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop

I'm using the GUI Package > FreeRADIUS : Users > Users page to enter my users.
You are using, I guess, something diffferent ?
It looks like Freeradius can't access you 'list with users'.

AYSMAN

@gertjan I'm Using MySQL as database that contain my list of users including user attributes. Not an expert reading these logs correct me if Im wrong, but from what I understand is that freeradius is "ignoring" the myqsl connection for the users

AYSMAN

Hi @gertjan just to counter check, I tried using freeradius3 + MySQL as backend hosted in my ubuntu server then configure pfsense captive portal to authenticate users to my external freeradius server, everything works fine.

viktor_g

@aysman Try to create 'dumb' user on the FreeRADIUS / Users page and check again with radiusd -X

Gertjan

That's what I'm using :
FreeRadius 0.15.7_27 and a MariaDB (== a mysql variant) on a server on my LAN to authentify captive portal users.

I never used this :

@viktor_g said in Captive Portal Error:

Try to create 'dumb' user on the FreeRADIUS / Users page and check again with radiusd -X

Info : This "dumb" user will get stored in a file /usr/local/etc/raddb/mods-config/files/authorize (not the database).

viktor_g

@aysman Please check this:

1. killall radiusd
2. open /usr/local/etc/raddb/sites-enabled/default
   and replace if ((notfound || noop) && (&control:Auth-Type != Accept)) {
   with if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
3. run radiusd -X and check authentication again

Gertjan

@viktor_g

This works ..... but :
I had to :

#	files
#	if ((notfound || noop) && (&control:Auth-Type != Accept)) {
	if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {

=> I exclude 'files' altogether.
Now the 'radcheck' table is questionned :

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
(0)        --> No-Accept
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
(0)       redundant sql {
(0) sql1: EXPAND %{User-Name}
(0) sql1:    --> test
(0) sql1: SQL-User-Name set to 'test'
rlm_sql (sql1): Reserved connection (1)
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql1: User found in radcheck table
(0) sql1: Conditional check items matched, merging assignment check items
(0) sql1:   Cleartext-Password := "test"
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
rlm_sql (sql1): Reserved connection (2)
rlm_sql (sql1): Released connection (2)
(0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql1:    --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql1: User not found in any groups
rlm_sql (sql1): Released connection (1)
(0)         [sql1] = ok
(0)       } # redundant sql = ok
(0)       if (notfound || noop) {
(0)       if (notfound || noop)  -> FALSE
(0)     } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  = ok

I had a 'test' user set up :

With

files 

in place,
your

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

yields a "FALSE, so the 'sql' block isn't executed.

(that what I make of it).

viktor_g

@gertjan said in Captive Portal Error:

With
files

in place,
your
if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).

This is correct because it finds the "test" user in the files backend.
It checks files, sql and ldap backends sequentially.

Redmine issue created: https://redmine.pfsense.org/issues/11388

Gertjan

@viktor_g said in Captive Portal Error:

This is correct because it finds the "test" user in the files backend.

I did not (do not) have a 'test' user set up in the pfSense GUI - only in the 'radcheck' MYSQL table.

Done on purpose, to see if the auth would fall through to 'radcheck testing' if no result was found in the 'files' (pfSense GUI).

viktor_g

@gertjan in this case it should bypass files backend,
my test (raduser1 in ldap backend, test1 user in files backend) with this patch:

raduser1 (ldap):

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
(0)        --> No-Accept
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
(0)       if (true) {
(0)       if (true)  -> TRUE
(0)       if (true)  {
(0)         redundant {
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=raduser1)
(0) ldap: Performing search in "cn=accounts,dc=pand,dc=int" with filter "(uid=raduser1)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=raduser1,cn=users,cn=accounts,dc=pand,dc=int"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 4 more connections to reach min connections (5)
rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)           [ldap] = ok

test1 (files):

1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry test1 at line 2
(1)     [files] = ok
(1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> FALSE
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [forever] = noop
(1)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(1)     ERROR: Failed retrieving values required to evaluate condition
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated

Gertjan

@viktor_g :

Wait : your logs handle a 'files' and/or 'ldap'.
I'm using 'files' and 'sql1' (using the table 'radcheck' etc).

@AYSMAN didn't mention 'ldap'.

viktor_g

@gertjan Yes, but it uses the same logic (see /usr/local/etc/raddb/sites-enabled/default)

files + ldap:

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
                        ### sql DISABLED ###
        if (true) {                     
          redundant {
          ldap
          # this line adds ldap2 when activated
         ### ldap2 disabled ###
        }
    if (notfound || noop) {
          reject
    }
 }
}

files + sql:

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
         redundant sql {
                sql1
                ### sql2 DISABLED ###
        }
        if (notfound || noop) {
                        ### ldap ###
                        if (notfound || noop) {
                                reject
                       }
        }
 }

AYSMAN

@viktor_g Already tested this, Its working just fine with no errors

AYSMAN

@viktor_g @Gertjan Since all of my previous set up using earlier version of the freeradius package is working with no errors. Can this be considered a valid bug for freeradius package version 0.15.7_27?

AYSMAN

@viktor_g Thanks, this fix works. Cheers to you.

Gertjan

I confirm.
I was doing stupid things .... the correction proposed works very well.
@viktor_g :

viktor_g

Will be in the next FreeRADIUS pkg update (0.15.7_28)