Captive Portal Error
-
@aysman Try to create 'dumb' user on the FreeRADIUS / Users page and check again with
radiusd -X -
That's what I'm using :
FreeRadius 0.15.7_27 and a MariaDB (== a mysql variant) on a server on my LAN to authentify captive portal users.I never used this :
@viktor_g said in Captive Portal Error:
Try to create 'dumb' user on the FreeRADIUS / Users page and check again with radiusd -X
Info : This "dumb" user will get stored in a file /usr/local/etc/raddb/mods-config/files/authorize (not the database).
-
@aysman Please check this:
killall radiusd- open
/usr/local/etc/raddb/sites-enabled/default
and replaceif ((notfound || noop) && (&control:Auth-Type != Accept)) {
withif ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { - run
radiusd -Xand check authentication again
-
This works ..... but :
I had to :# files # if ((notfound || noop) && (&control:Auth-Type != Accept)) { if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {=> I exclude 'files' altogether.
Now the 'radcheck' table is questionned :(0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) EXPAND %{%{Control:Auth-Type}:-No-Accept} (0) --> No-Accept (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> TRUE (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) redundant sql { (0) sql1: EXPAND %{User-Name} (0) sql1: --> test (0) sql1: SQL-User-Name set to 'test' rlm_sql (sql1): Reserved connection (1) (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql1: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id (0) sql1: User found in radcheck table (0) sql1: Conditional check items matched, merging assignment check items (0) sql1: Cleartext-Password := "test" (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql1: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id rlm_sql (sql1): Reserved connection (2) rlm_sql (sql1): Released connection (2) (0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql1: --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority (0) sql1: User not found in any groups rlm_sql (sql1): Released connection (1) (0) [sql1] = ok (0) } # redundant sql = ok (0) if (notfound || noop) { (0) if (notfound || noop) -> FALSE (0) } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) = okI had a 'test' user set up :
With
filesin place,
yourif ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).
-
@gertjan said in Captive Portal Error:
With
filesin place,
your
if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).This is correct because it finds the "test" user in the
filesbackend.
It checksfiles,sqlandldapbackends sequentially.Redmine issue created: https://redmine.pfsense.org/issues/11388
-
@viktor_g said in Captive Portal Error:
This is correct because it finds the "test" user in the files backend.
I did not (do not) have a 'test' user set up in the pfSense GUI - only in the 'radcheck' MYSQL table.
Done on purpose, to see if the auth would fall through to 'radcheck testing' if no result was found in the 'files' (pfSense GUI).
-
@gertjan in this case it should bypass
filesbackend,
my test (raduser1inldapbackend,test1user infilesbackend) with this patch:raduser1 (ldap):
(0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) [files] = noop (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) EXPAND %{%{Control:Auth-Type}:-No-Accept} (0) --> No-Accept (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> TRUE (0) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (0) if (true) { (0) if (true) -> TRUE (0) if (true) { (0) redundant { rlm_ldap (ldap): 0 of 0 connections in use. You may need to increase "spare" rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful rlm_ldap (ldap): Reserved connection (0) (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}}) (0) ldap: --> (uid=raduser1) (0) ldap: Performing search in "cn=accounts,dc=pand,dc=int" with filter "(uid=raduser1)", scope "sub" (0) ldap: Waiting for search result... (0) ldap: User object found at DN "uid=raduser1,cn=users,cn=accounts,dc=pand,dc=int" (0) ldap: Processing user attributes (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure) rlm_ldap (ldap): Released connection (0) Need 4 more connections to reach min connections (5) rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389 rlm_ldap (ldap): Waiting for bind result... rlm_ldap (ldap): Bind successful (0) [ldap] = oktest1 (files):
1) eap: No EAP-Message, not doing EAP (1) [eap] = noop (1) files: users: Matched entry test1 at line 2 (1) [files] = ok (1) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { (1) if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) -> FALSE rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [daily] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [weekly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [monthly] = noop rlm_counter: Entering module authorize code rlm_counter: Could not find Check item value pair (1) [forever] = noop (1) if (&request:Calling-Station-Id == &control:Calling-Station-Id) { (1) ERROR: Failed retrieving values required to evaluate condition (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = updated (1) } # authorize = updated -
Wait : your logs handle a 'files' and/or 'ldap'.
I'm using 'files' and 'sql1' (using the table 'radcheck' etc).@AYSMAN didn't mention 'ldap'.
-
@gertjan Yes, but it uses the same logic (see
/usr/local/etc/raddb/sites-enabled/default)files+ldap:if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { ### sql DISABLED ### if (true) { redundant { ldap # this line adds ldap2 when activated ### ldap2 disabled ### } if (notfound || noop) { reject } } }files+sql:if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) { redundant sql { sql1 ### sql2 DISABLED ### } if (notfound || noop) { ### ldap ### if (notfound || noop) { reject } } } -
@viktor_g Already tested this, Its working just fine with no errors
-
-
@viktor_g Thanks, this fix works. Cheers to you.
-
I confirm.
I was doing stupid things .... the correction proposed works very well.
@viktor_g :
-
Will be in the next FreeRADIUS pkg update (0.15.7_28)
