Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FreeRADIUS 1.7.8 problem (Solved)

    pfSense Packages
    5
    8
    4819
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Raul Ramos
      Raul Ramos last edited by

      Hi
      Everything has fine why i update this….service does not start.

      Apr 12 22:00:51 radiusd 74435 Failed to load virtual server <default>Apr 12 22:01:34 radiusd 35242 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
      Apr 12 22:01:34 radiusd 35242 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
      Apr 12 22:01:34 radiusd 35242 rlm_eap: Failed to initialize type tls
      Apr 12 22:01:34 radiusd 35242 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
      Apr 12 22:01:34 radiusd 35242 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
      Apr 12 22:01:34 radiusd 35242 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
      Apr 12 22:01:34 radiusd 35242 Failed to load virtual server <default>```
      /usr/local/etc/raddb/eap.conf
      Array ### EAP
      eap {
      default_eap_type = peap
      timer_expire    = 60
      ignore_unknown_eap_types = no
      cisco_accounting_username_bug = no
      max_sessions = 4096

      	### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ###
      
      	### EAP-TLS and EAP-TLS with OCSP support
      	tls {
      		certdir = ${confdir}/certs
      		cadir = ${confdir}/certs
      		# private_key_password =
      		private_key_file = ${certdir}/server_key.pem
      		certificate_file = ${certdir}/server_cert.pem
      		CA_file = ${cadir}/ca_cert.pem
      		dh_file = ${certdir}/dh
      		random_file = ${certdir}/random
      		fragment_size = 1024
      		include_length = no
      		check_crl = no
      		CA_path = ${cadir}
      		### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ###
      		### check_cert_cn = %{User-Name} ###
      		cipher_list = "DEFAULT"
      		ecdh_curve = "prime256v1"
      		cache {
      		      enable = no
      		      lifetime = 24
      		      max_entries = 255
      		}
      		verify {
      	#     		tmpdir = /tmp/radiusd
      	#    		client = "/path/to/openssl verify -CApath  %{TLS-Client-Cert-Filename}"
      		}
      		ocsp {
      		      enable = no
      		      override_cert_url = no
      		      url = "http://127.0.0.1/ocsp/"
      		}
      	}
      
      	### EAP-TTLS
      	ttls {
      		default_eap_type = md5
      		copy_request_to_tunnel = no
      		use_tunneled_reply = no
      		include_length = yes
      	}	### end ttls
      
      	### EAP-PEAP
      	peap {
      		default_eap_type = mschapv2
      		copy_request_to_tunnel = yes
      		use_tunneled_reply = no
      	#	proxy_tunneled_request_as_eap = yes
      		### MS SoH Server is disabled ###
      	}
      	mschapv2 {
      	#	send_error = no
      	}
      }
      
      
      This is for wifi stuff  **pfsense 2.4.0-BETA (amd64) -built on Tue Apr 11 23:43:27 CDT 2017**
      Some help?  need some more info</default></default>

      pfSense:
      ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
      Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
      NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

      1 Reply Last reply Reply Quote 0
      • Raul Ramos
        Raul Ramos last edited by

        Maybe a restart solve the problem?

        Don't know but putting the right certificates in "Certificates for TLS"  SSL CA Certificate and SSL Server Certificate and FreeRadius is happy again… me to.

        It is really necessary config Certs in TLS using PEAP or in any EAP type?

        Edited: I dont read this warning before upgrade to 1.7.8. I'm updating the FreeRadius on a company a and saw this, great!

        WARNING!!!
        The FreeRADIUS Cert Manager is not maintained, uses obsolete insecure cryptography (MD5/SHA1), offers no backup capabilities and is pending removal in near future.

        Users are strongly urged to transition to the Cert Manager built into pfSense as soon as possible. To use the built-in Cert Manager on pfSense, first create a CA and a Server Certificate at 'System > Cert Manager'.

        Unchecked
        Use FreeRADIUS Cert Manager (Deprecated, do NOT use!)
        Checked
        Use pfSense Cert Manager (Strongly recommended)

        pfSense:
        ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
        Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
        NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          I am running 24 beta Apr 12 12:56:31

          I am also running 1.7.8 of freerad package.. And I did not see any issues with freerad starting. Nor any issues with my eap-tls clients connecting.

          But then again I have been using the pfsense CertManager from the get go.. This has always been the recommended setting AFAIK…

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          2440 2.4.5p1 | 2x 3100 2.4.4p3 | 2x 3100 22.01 | 4860 22.05

          1 Reply Last reply Reply Quote 0
          • Raul Ramos
            Raul Ramos last edited by

            I use radius to authenticate Ubnt nanostation loco's and the authentication is EAP-PEAP-MSCHAPv2. I don't know how this works but is TLS needed on this particular setup? certificates for TLS is using between the Client (Wifi AP) to radius server? I don't remember put any information on this fields (Certificates for TLS) on EAP settings.

            Anyway, i see some people solved the problem but not give a specific answer, maybe going deep in some forums eventually i would have find it. Stay in this topic for future troubleshooting.

            This topic is not related to 2.4 beta should be move some other place, sorry.

            pfSense:
            ASRock -> Wolfdale1333-D667 (2GB TeamElite Ram)
            Marvell 88SA8040 Sata to CF(Sandisk 4GB) Controller
            NIC's: RTL8100E (Internal ) and Intel® PRO/1000 PT Dual (Intel 82571GB)

            1 Reply Last reply Reply Quote 0
            • F
              fvsantos last edited by

              Hi all,

              I've updated pfsense from 2.3.3 to 2.3.3_1, and after reboot, the freeradius service is not running anymore.

              The logs:

              Apr 13 11:50:56 	radiusd[95667]: Failed to load virtual server <default>
              Apr 13 11:50:56 	radiusd[95667]: /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
              Apr 13 11:50:56 	radiusd[95667]: /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
              Apr 13 11:50:56 	radiusd[95667]: /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
              Apr 13 11:50:56 	radiusd[95667]: rlm_eap: Failed to initialize type tls
              Apr 13 11:50:56 	radiusd[95667]: rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
              Apr 13 11:50:56 	radiusd[95667]: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory</default>
              

              The server_cert.pem file does not exists, but i'm not using eap, i'm using only ldap, and it worked very well before this update (works on another machine with pfsense 2.2.4)

              Any hint?

              Thanks

              1 Reply Last reply Reply Quote 0
              • H
                HooKed last edited by

                Same here.

                Apr 13 15:13:00 radiusd 41179 Failed to load virtual server <default>Apr 13 15:13:00 radiusd 41179 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
                Apr 13 15:13:00 radiusd 41179 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
                Apr 13 15:13:00 radiusd 41179 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
                Apr 13 15:13:00 radiusd 41179 rlm_eap: Failed to initialize type tls
                Apr 13 15:13:00 radiusd 41179 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
                Apr 13 15:13:00 radiusd 41179 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory</default>

                1 Reply Last reply Reply Quote 0
                • H
                  HooKed last edited by

                  May have fixed my issue.

                  Went to "System > Cert Manager".

                  Made a CA Named "ForTLS" and filled all other info.

                  Then went to FreeRADIUS > EAP

                  and under "Certificates for TLS" i set "ForTLS" under "SSL CA Certificate"

                  and under "EAP-TLS" i checked "Check Cert Issuer Validate the certificate against the CA"

                  Then i filled in same info used in the CA and hit save.

                  Went to services and clicked the start icon and BAM! it started and logins now work.

                  (I am not good at "making" instructions)

                  Log output
                  Apr 13 15:58:38 radiusd 49495 Ready to process requests.
                  Apr 13 15:58:38 radiusd 49269 Loaded virtual server<default></default>

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned last edited by

                    The bundled horrible FreeRADIUS certificate manager (defaulting to MD5) has been removed from the package (starting with 1.7.8). Configuring proper certificates in the pfSense Cert Manager is a required configuration step now.

                    https://redmine.pfsense.org/issues/7170
                    https://github.com/pfsense/FreeBSD-ports/pull/334

                    There is no way to migrate the old config if you were not using the pfSense cert manager before, you simply need to do the work yourself. Probably might put some file_notice() and/or install message before 2.4 is released.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post