Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Captive Portal Error

    Scheduled Pinned Locked Moved Captive Portal
    24 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @viktor_g
      last edited by

      @viktor_g

      This works ..... but :
      I had to :

      #	files
      #	if ((notfound || noop) && (&control:Auth-Type != Accept)) {
      	if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
      

      => I exclude 'files' altogether.
      Now the 'radcheck' table is questionned :

      (0) eap: No EAP-Message, not doing EAP
      (0)     [eap] = noop
      (0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
      (0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
      (0)        --> No-Accept
      (0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
      (0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
      (0)       redundant sql {
      (0) sql1: EXPAND %{User-Name}
      (0) sql1:    --> test
      (0) sql1: SQL-User-Name set to 'test'
      rlm_sql (sql1): Reserved connection (1)
      (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
      (0) sql1:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
      (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
      (0) sql1: User found in radcheck table
      (0) sql1: Conditional check items matched, merging assignment check items
      (0) sql1:   Cleartext-Password := "test"
      (0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
      (0) sql1:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
      (0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
      rlm_sql (sql1): Reserved connection (2)
      rlm_sql (sql1): Released connection (2)
      (0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
      (0) sql1:    --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
      (0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
      (0) sql1: User not found in any groups
      rlm_sql (sql1): Released connection (1)
      (0)         [sql1] = ok
      (0)       } # redundant sql = ok
      (0)       if (notfound || noop) {
      (0)       if (notfound || noop)  -> FALSE
      (0)     } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  = ok
      

      I had a 'test' user set up :

      e1be4832-76c8-4166-a0d5-88a960ed621c-image.png

      With

      files 
      

      in place,
      your

      if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))
      

      yields a "FALSE, so the 'sql' block isn't executed.

      (that what I make of it).

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      viktor_gV 1 Reply Last reply Reply Quote 0
      • viktor_gV
        viktor_g Netgate @Gertjan
        last edited by

        @gertjan said in Captive Portal Error:

        With
        files

        in place,
        your
        if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

        yields a "FALSE, so the 'sql' block isn't executed.
        (that what I make of it).

        This is correct because it finds the "test" user in the files backend.
        It checks files, sql and ldap backends sequentially.

        Redmine issue created: https://redmine.pfsense.org/issues/11388

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @viktor_g
          last edited by

          @viktor_g said in Captive Portal Error:

          This is correct because it finds the "test" user in the files backend.

          I did not (do not) have a 'test' user set up in the pfSense GUI - only in the 'radcheck' MYSQL table.

          Done on purpose, to see if the auth would fall through to 'radcheck testing' if no result was found in the 'files' (pfSense GUI).

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          viktor_gV 1 Reply Last reply Reply Quote 0
          • viktor_gV
            viktor_g Netgate @Gertjan
            last edited by

            @gertjan in this case it should bypass files backend,
            my test (raduser1 in ldap backend, test1 user in files backend) with this patch:

            raduser1 (ldap):

            (0) eap: No EAP-Message, not doing EAP
            (0)     [eap] = noop
            (0)     [files] = noop
            (0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
            (0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
            (0)        --> No-Accept
            (0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
            (0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
            (0)       if (true) {
            (0)       if (true)  -> TRUE
            (0)       if (true)  {
            (0)         redundant {
            rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
            rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used
            rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
            rlm_ldap (ldap): Waiting for bind result...
            rlm_ldap (ldap): Bind successful
            rlm_ldap (ldap): Reserved connection (0)
            (0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
            (0) ldap:    --> (uid=raduser1)
            (0) ldap: Performing search in "cn=accounts,dc=pand,dc=int" with filter "(uid=raduser1)", scope "sub"
            (0) ldap: Waiting for search result...
            (0) ldap: User object found at DN "uid=raduser1,cn=users,cn=accounts,dc=pand,dc=int"
            (0) ldap: Processing user attributes
            (0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
            (0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
            rlm_ldap (ldap): Released connection (0)
            Need 4 more connections to reach min connections (5)
            rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
            rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
            rlm_ldap (ldap): Waiting for bind result...
            rlm_ldap (ldap): Bind successful
            (0)           [ldap] = ok
            

            test1 (files):

            1) eap: No EAP-Message, not doing EAP
            (1)     [eap] = noop
            (1) files: users: Matched entry test1 at line 2
            (1)     [files] = ok
            (1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
            (1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> FALSE
            rlm_counter: Entering module authorize code
            rlm_counter: Could not find Check item value pair
            (1)     [daily] = noop
            rlm_counter: Entering module authorize code
            rlm_counter: Could not find Check item value pair
            (1)     [weekly] = noop
            rlm_counter: Entering module authorize code
            rlm_counter: Could not find Check item value pair
            (1)     [monthly] = noop
            rlm_counter: Entering module authorize code
            rlm_counter: Could not find Check item value pair
            (1)     [forever] = noop
            (1)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
            (1)     ERROR: Failed retrieving values required to evaluate condition
            (1)     [expiration] = noop
            (1)     [logintime] = noop
            (1)     [pap] = updated
            (1)   } # authorize = updated
            
            GertjanG 1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @viktor_g
              last edited by

              @viktor_g :

              Wait : your logs handle a 'files' and/or 'ldap'.
              I'm using 'files' and 'sql1' (using the table 'radcheck' etc).

              @AYSMAN didn't mention 'ldap'.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              viktor_gV 1 Reply Last reply Reply Quote 0
              • viktor_gV
                viktor_g Netgate @Gertjan
                last edited by

                @gertjan Yes, but it uses the same logic (see /usr/local/etc/raddb/sites-enabled/default)

                files + ldap:

                if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
                                        ### sql DISABLED ###
                        if (true) {                     
                          redundant {
                          ldap
                          # this line adds ldap2 when activated
                         ### ldap2 disabled ###
                        }
                    if (notfound || noop) {
                          reject
                    }
                 }
                }
                

                files + sql:

                if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
                         redundant sql {
                                sql1
                                ### sql2 DISABLED ###
                        }
                        if (notfound || noop) {
                                        ### ldap ###
                                        if (notfound || noop) {
                                                reject
                                       }
                        }
                 }
                A 1 Reply Last reply Reply Quote 0
                • A
                  AYSMAN @viktor_g
                  last edited by

                  @viktor_g Already tested this, Its working just fine with no errors

                  1 Reply Last reply Reply Quote 0
                  • A
                    AYSMAN @viktor_g
                    last edited by

                    @viktor_g @Gertjan Since all of my previous set up using earlier version of the freeradius package is working with no errors. Can this be considered a valid bug for freeradius package version 0.15.7_27?

                    1 Reply Last reply Reply Quote 0
                    • A
                      AYSMAN @viktor_g
                      last edited by

                      @viktor_g Thanks, this fix works. Cheers to you.

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @AYSMAN
                        last edited by

                        I confirm.
                        I was doing stupid things .... the correction proposed works very well.
                        @viktor_g : 👍

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 1
                        • viktor_gV
                          viktor_g Netgate
                          last edited by

                          Will be in the next FreeRADIUS pkg update (0.15.7_28)

                          1 Reply Last reply Reply Quote 2
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.