FreeRADIUS 1.7.8 problem (Solved)
-
Hi
Everything has fine why i update this….service does not start.Apr 12 22:00:51 radiusd 74435 Failed to load virtual server <default>Apr 12 22:01:34 radiusd 35242 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
Apr 12 22:01:34 radiusd 35242 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
Apr 12 22:01:34 radiusd 35242 rlm_eap: Failed to initialize type tls
Apr 12 22:01:34 radiusd 35242 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
Apr 12 22:01:34 radiusd 35242 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
Apr 12 22:01:34 radiusd 35242 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
Apr 12 22:01:34 radiusd 35242 Failed to load virtual server <default>```
/usr/local/etc/raddb/eap.conf
Array ### EAP
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096### DISABLED WEAK EAP TYPES MD5, GTC, LEAP ### ### EAP-TLS and EAP-TLS with OCSP support tls { certdir = ${confdir}/certs cadir = ${confdir}/certs # private_key_password = private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem CA_file = ${cadir}/ca_cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = no check_crl = no CA_path = ${cadir} ### check_cert_issuer = "/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd/emailAddress=test@mycomp.com/CN=myca" ### ### check_cert_cn = %{User-Name} ### cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { # tmpdir = /tmp/radiusd # client = "/path/to/openssl verify -CApath %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } ### EAP-TTLS ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } ### end ttls ### EAP-PEAP peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no # proxy_tunneled_request_as_eap = yes ### MS SoH Server is disabled ### } mschapv2 { # send_error = no } }
This is for wifi stuff **pfsense 2.4.0-BETA (amd64) -built on Tue Apr 11 23:43:27 CDT 2017** Some help? need some more info</default></default>
-
Maybe a restart solve the problem?
Don't know but putting the right certificates in "Certificates for TLS" SSL CA Certificate and SSL Server Certificate and FreeRadius is happy again… me to.
It is really necessary config Certs in TLS using PEAP or in any EAP type?
Edited: I dont read this warning before upgrade to 1.7.8. I'm updating the FreeRadius on a company a and saw this, great!
WARNING!!!
The FreeRADIUS Cert Manager is not maintained, uses obsolete insecure cryptography (MD5/SHA1), offers no backup capabilities and is pending removal in near future.Users are strongly urged to transition to the Cert Manager built into pfSense as soon as possible. To use the built-in Cert Manager on pfSense, first create a CA and a Server Certificate at 'System > Cert Manager'.
Unchecked
Use FreeRADIUS Cert Manager (Deprecated, do NOT use!)
Checked
Use pfSense Cert Manager (Strongly recommended) -
I am running 24 beta Apr 12 12:56:31
I am also running 1.7.8 of freerad package.. And I did not see any issues with freerad starting. Nor any issues with my eap-tls clients connecting.
But then again I have been using the pfsense CertManager from the get go.. This has always been the recommended setting AFAIK…
-
I use radius to authenticate Ubnt nanostation loco's and the authentication is EAP-PEAP-MSCHAPv2. I don't know how this works but is TLS needed on this particular setup? certificates for TLS is using between the Client (Wifi AP) to radius server? I don't remember put any information on this fields (Certificates for TLS) on EAP settings.
Anyway, i see some people solved the problem but not give a specific answer, maybe going deep in some forums eventually i would have find it. Stay in this topic for future troubleshooting.
This topic is not related to 2.4 beta should be move some other place, sorry.
-
Hi all,
I've updated pfsense from 2.3.3 to 2.3.3_1, and after reboot, the freeradius service is not running anymore.
The logs:
Apr 13 11:50:56 radiusd[95667]: Failed to load virtual server <default> Apr 13 11:50:56 radiusd[95667]: /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section. Apr 13 11:50:56 radiusd[95667]: /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section. Apr 13 11:50:56 radiusd[95667]: /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap" Apr 13 11:50:56 radiusd[95667]: rlm_eap: Failed to initialize type tls Apr 13 11:50:56 radiusd[95667]: rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem Apr 13 11:50:56 radiusd[95667]: rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory</default>
The server_cert.pem file does not exists, but i'm not using eap, i'm using only ldap, and it worked very well before this update (works on another machine with pfsense 2.2.4)
Any hint?
Thanks
-
Same here.
Apr 13 15:13:00 radiusd 41179 Failed to load virtual server <default>Apr 13 15:13:00 radiusd 41179 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
Apr 13 15:13:00 radiusd 41179 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
Apr 13 15:13:00 radiusd 41179 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
Apr 13 15:13:00 radiusd 41179 rlm_eap: Failed to initialize type tls
Apr 13 15:13:00 radiusd 41179 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
Apr 13 15:13:00 radiusd 41179 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory</default> -
May have fixed my issue.
Went to "System > Cert Manager".
Made a CA Named "ForTLS" and filled all other info.
Then went to FreeRADIUS > EAP
and under "Certificates for TLS" i set "ForTLS" under "SSL CA Certificate"
and under "EAP-TLS" i checked "Check Cert Issuer Validate the certificate against the CA"
Then i filled in same info used in the CA and hit save.
Went to services and clicked the start icon and BAM! it started and logins now work.
(I am not good at "making" instructions)
Log output
Apr 13 15:58:38 radiusd 49495 Ready to process requests.
Apr 13 15:58:38 radiusd 49269 Loaded virtual server<default></default> -
The bundled horrible FreeRADIUS certificate manager (defaulting to MD5) has been removed from the package (starting with 1.7.8). Configuring proper certificates in the pfSense Cert Manager is a required configuration step now.
https://redmine.pfsense.org/issues/7170
https://github.com/pfsense/FreeBSD-ports/pull/334There is no way to migrate the old config if you were not using the pfSense cert manager before, you simply need to do the work yourself. Probably might put some file_notice() and/or install message before 2.4 is released.