[SOLVED] freeradius stopped working and it won't restart



  • Hi guys

    I'm at a lost here

    I've been running pfs 2.3.2-RELEASE-p1 (i386) for the entire year with no problems.
    recently users of the cp advised that the were unable to login with error:
    Error Sending Request: No valid RADIUS responses received
    when I login to the console I see the service freeradius down, and I can't seem to be able to get radiusd back up.

    things I've tried with no happy ending:

    recently the system logs for the radiusd show the following

    Jul 20 19:18:24 radiusd 81572 Failed to load virtual server <default>Jul 20 19:18:37 radiusd 17729 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:18:37 radiusd 17729 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:18:37 radiusd 17729 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:18:37 radiusd 17729 Failed to load virtual server <default>Jul 20 19:18:37 radiusd 17729 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:18:37 radiusd 17729 rlm_eap: Failed to initialize type tls
    Jul 20 19:18:37 radiusd 17729 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    Jul 20 19:22:01 radiusd 49629 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:22:01 radiusd 49629 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:22:01 radiusd 49629 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:22:01 radiusd 49629 Failed to load virtual server <default>Jul 20 19:22:01 radiusd 49629 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:22:01 radiusd 49629 rlm_eap: Failed to initialize type tls
    Jul 20 19:22:01 radiusd 49629 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    Jul 20 19:22:13 radiusd 77157 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:22:13 radiusd 77157 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:22:13 radiusd 77157 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:22:13 radiusd 77157 Failed to load virtual server <default>Jul 20 19:22:13 radiusd 77157 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:22:13 radiusd 77157 rlm_eap: Failed to initialize type tls
    Jul 20 19:22:13 radiusd 77157 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    Jul 20 19:22:53 radiusd 50753 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:22:53 radiusd 50753 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:22:53 radiusd 50753 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:22:53 radiusd 50753 Failed to load virtual server <default>Jul 20 19:22:53 radiusd 50753 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:22:53 radiusd 50753 rlm_eap: Failed to initialize type tls
    Jul 20 19:22:53 radiusd 50753 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    Jul 20 19:23:17 radiusd 98370 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:23:17 radiusd 98370 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:23:17 radiusd 98370 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:23:17 radiusd 98370 Failed to load virtual server <default>Jul 20 19:23:17 radiusd 98370 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:23:17 radiusd 98370 rlm_eap: Failed to initialize type tls
    Jul 20 19:23:17 radiusd 98370 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    Jul 20 19:23:55 radiusd 75439 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:23:55 radiusd 75439 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:23:55 radiusd 75439 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:23:55 radiusd 75439 Failed to load virtual server <default>Jul 20 19:23:55 radiusd 75439 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:23:55 radiusd 75439 rlm_eap: Failed to initialize type tls
    Jul 20 19:23:55 radiusd 75439 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory
    Jul 20 19:26:06 radiusd 43335 /usr/local/etc/raddb/eap.conf[2]: Instantiation failed for module "eap"
    Jul 20 19:26:06 radiusd 43335 /usr/local/etc/raddb/sites-enabled/default[263]: Errors parsing authenticate section.
    Jul 20 19:26:06 radiusd 43335 /usr/local/etc/raddb/sites-enabled/default[328]: Failed to find "eap" in the "modules" section.
    Jul 20 19:26:06 radiusd 43335 Failed to load virtual server <default>Jul 20 19:26:06 radiusd 43335 rlm_eap_tls: Error reading certificate file /usr/local/etc/raddb/certs/server_cert.pem
    Jul 20 19:26:06 radiusd 43335 rlm_eap: Failed to initialize type tls
    Jul 20 19:26:06 radiusd 43335 rlm_eap: SSL error error:02001002:system library:fopen:No such file or directory

    I don't use an ssl certificate or an external mysql server, all I have in freeradius are 20+ users that authenticate via cp before they can go on internet on my wlan interface, I wouldn't mind blowing that config If I can get the service up again if needed.

    Not sure what changed, of if the user db got corrupted somehow (that's my guess)

    any suggestions?

    Any help is greatly appreciated.</default></default></default></default></default></default></default></default>



  • trying to setup certs as it seems to be a requirement as per solutions posted on

    https://forum.pfsense.org/index.php?topic=129630.0

    https://forum.pfsense.org/index.php?topic=128923.0

    will confirm if this works once I get the chance.

    tks



  • Add this one to your list  https://forum.pfsense.org/index.php?topic=131883.0  ;)



  • Hi guys

    Well, The certs were definitely the problem

    I created root and interm CA certificates under system > cert manager
    created a cert for my box in the same area
    then in services > freeradius , eap tab I set the certs previously created
    and voila, automagically, without pushing restart, the freeradius service came back to life.  :D

    I know the theory about certs and the importance in regards to security but never had a "real" need for them. I guess this a good time to learn about them so there's still some work to do but at least captive portal users are now able to login :)

    thank Gertjan for replying. I glimpsed through the post you suggested and I did run into a few freeradius3 posts while looking for answers to my problem but even when I was reinstalling freeradius while troubleshooting my issue I didn't see that package come up, all It showed up in package manager was freeradius2. Might consider looking into that once I upgrade pfsense by the end of this year.

    Thank you guys


  • Rebel Alliance Developer Netgate

    @fcortes:

    • Updated my freeradius version to the last one that was available in package manager: freeradius2 net 1.7.8

    Uninstall FreeRADIUS 2.x. Install FreeRADIUS 3.x.

    The 2.x package is EOL and has security problems. It will be removed soon.

    The 3.x package is stable, secure, and works better. It can make certificates for you, too, and avoids this problem entirely.



  • Hi Jimp

    I saw freeradius3 was out while reading through posts, but while dealing with this issue and uninstalling freeradius when I look up freeradius in package manager freeradius3 didn't showup as far as I can remember? did i missed it?, is there another way to get freeradius3 installed that is not through package manager?

    Thank you for your follow up

    Cheers


  • Rebel Alliance Developer Netgate

    You need to be on pfSense 2.3.4 or later to get FreeRADIUS 3.x.



  • radiusd -X
    }
      # Loading module "datacounterforever" from file /usr/local/etc/raddb/mods-enabled/datacounter_acct
      exec datacounterforever {
            wait = yes
            program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets} %{request:Acct-Status-Type} %{request:Acct-Session-Id}"
            shell_escape = yes
      }
    /usr/local/etc/raddb/mods-enabled/counter[2]: Failed to link to module 'rlm_counter': Shared object "libgdbm.so.4" not found, required by "rlm_counter.so"

    error, radius not start. (freeradius3)
    help me please