Captive Portal Error

Gertjan

@viktor_g

This works ..... but :
I had to :

#	files
#	if ((notfound || noop) && (&control:Auth-Type != Accept)) {
	if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {

=> I exclude 'files' altogether.
Now the 'radcheck' table is questionned :

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
(0)        --> No-Accept
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
(0)       redundant sql {
(0) sql1: EXPAND %{User-Name}
(0) sql1:    --> test
(0) sql1: SQL-User-Name set to 'test'
rlm_sql (sql1): Reserved connection (1)
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql1: User found in radcheck table
(0) sql1: Conditional check items matched, merging assignment check items
(0) sql1:   Cleartext-Password := "test"
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
rlm_sql (sql1): Reserved connection (2)
rlm_sql (sql1): Released connection (2)
(0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql1:    --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql1: User not found in any groups
rlm_sql (sql1): Released connection (1)
(0)         [sql1] = ok
(0)       } # redundant sql = ok
(0)       if (notfound || noop) {
(0)       if (notfound || noop)  -> FALSE
(0)     } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  = ok

I had a 'test' user set up :

With

files 

in place,
your

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

yields a "FALSE, so the 'sql' block isn't executed.

(that what I make of it).

viktor_g

@gertjan said in Captive Portal Error:

With
files

in place,
your
if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).

This is correct because it finds the "test" user in the files backend.
It checks files, sql and ldap backends sequentially.

Redmine issue created: https://redmine.pfsense.org/issues/11388

Gertjan

@viktor_g said in Captive Portal Error:

This is correct because it finds the "test" user in the files backend.

I did not (do not) have a 'test' user set up in the pfSense GUI - only in the 'radcheck' MYSQL table.

Done on purpose, to see if the auth would fall through to 'radcheck testing' if no result was found in the 'files' (pfSense GUI).

viktor_g

@gertjan in this case it should bypass files backend,
my test (raduser1 in ldap backend, test1 user in files backend) with this patch:

raduser1 (ldap):

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
(0)        --> No-Accept
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
(0)       if (true) {
(0)       if (true)  -> TRUE
(0)       if (true)  {
(0)         redundant {
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=raduser1)
(0) ldap: Performing search in "cn=accounts,dc=pand,dc=int" with filter "(uid=raduser1)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=raduser1,cn=users,cn=accounts,dc=pand,dc=int"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 4 more connections to reach min connections (5)
rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)           [ldap] = ok

test1 (files):

1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry test1 at line 2
(1)     [files] = ok
(1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> FALSE
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [forever] = noop
(1)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(1)     ERROR: Failed retrieving values required to evaluate condition
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated

Gertjan

@viktor_g :

Wait : your logs handle a 'files' and/or 'ldap'.
I'm using 'files' and 'sql1' (using the table 'radcheck' etc).

@AYSMAN didn't mention 'ldap'.

viktor_g

@gertjan Yes, but it uses the same logic (see /usr/local/etc/raddb/sites-enabled/default)

files + ldap:

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
                        ### sql DISABLED ###
        if (true) {                     
          redundant {
          ldap
          # this line adds ldap2 when activated
         ### ldap2 disabled ###
        }
    if (notfound || noop) {
          reject
    }
 }
}

files + sql:

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
         redundant sql {
                sql1
                ### sql2 DISABLED ###
        }
        if (notfound || noop) {
                        ### ldap ###
                        if (notfound || noop) {
                                reject
                       }
        }
 }

AYSMAN

@viktor_g Already tested this, Its working just fine with no errors

AYSMAN

@viktor_g @Gertjan Since all of my previous set up using earlier version of the freeradius package is working with no errors. Can this be considered a valid bug for freeradius package version 0.15.7_27?

AYSMAN

@viktor_g Thanks, this fix works. Cheers to you.

Gertjan

I confirm.
I was doing stupid things .... the correction proposed works very well.
@viktor_g :

viktor_g

Will be in the next FreeRADIUS pkg update (0.15.7_28)