Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FreeRADIUS 3 package will not start

    2.4 Development Snapshots
    4
    28
    4323
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PFbest last edited by

      @jimp:

      FYI- The package is now up for 2.3.4 users to test out, too.

      Hi jimp,

      I've just upgraded to freeradius3 (pfsense 2.3.4-RELEASE-p1), now freeradius refuse to start, and there's no log regarding to radiusd,what what should I do?
      Is that a bug?
      I tried reinstall it, even uninstall v3 install v2 again.
      Still, freeradius won't start.
      It was all good till I upgraded to freeradius3.
      :'( :'( :'(

      Please help :'(

      Thanks!

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        I split this off because that other thread was dead. Wait until FreeRADIUS 0.15 shows up, then install it (or upgrade to it). If you still have problems on 0.15, then post any errors you see in the GUI or system log messages about radius or radiusd.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          PFbest last edited by

          @jimp:

          I split this off because that other thread was dead. Wait until FreeRADIUS 0.15 shows up, then install it (or upgrade to it). If you still have problems on 0.15, then post any errors you see in the GUI or system log messages about radius or radiusd.

          Hi jimp it's ok :)
          I forgot to mention, it is version 0.15.
          Because it appeared on the Available Packages page, so I upgradedĀ  :'(
          There is no error in system log, do you know else where (location) I can get log or dump file?

          Only have these entries when use "radius" as message filter

          
          Aug 31 22:48:19	pkg		pfSense-pkg-freeradius3-0.15 installed
          Aug 31 22:48:19	php		/etc/rc.packages: Successfully installed package: freeradius3.
          Aug 31 22:48:18	php		/etc/rc.packages: Beginning package installation for freeradius3 .
          Aug 31 22:44:42	pkg		pfSense-pkg-freeradius3-0.15 deinstalled
          Aug 31 22:44:41	php		/etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
          Aug 31 22:21:22	pkg		pfSense-pkg-freeradius3 reinstalled: 0.15 -> 0.15
          Aug 31 22:21:22	php		/etc/rc.packages: Successfully installed package: freeradius3.
          Aug 31 22:21:21	php		/etc/rc.packages: Beginning package installation for freeradius3 .
          Aug 31 22:21:21	php		/etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
          Aug 31 21:56:21	pkg		pfSense-pkg-freeradius3-0.15 installed
          Aug 31 21:56:21	php		/etc/rc.packages: Successfully installed package: freeradius3.
          Aug 31 21:56:20	php		/etc/rc.packages: Beginning package installation for freeradius3 .
          Aug 31 21:54:39	pkg		freeradius3-3.0.15 installed
          Aug 31 21:52:32	pkg		freeradius-2.2.9 deinstalled
          Aug 31 21:52:32	pkg		pfSense-pkg-freeradius2-1.7.9 deinstalled
          Aug 31 21:52:31	php		/etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
          Aug 31 21:48:23	pkg		pfSense-pkg-freeradius2-1.7.9 installed
          Aug 31 21:48:23	php		/etc/rc.packages: Successfully installed package: freeradius2.
          Aug 31 21:48:22	php		/etc/rc.packages: freeRADIUS: Creating new random file in /usr/local/etc/raddb/certs
          Aug 31 21:48:22	php		/etc/rc.packages: FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/files.backup
          Aug 31 21:48:22	php		/etc/rc.packages: FreeRADIUS: Creating backup of the original file to /usr/local/etc/raddb/policy.conf.backup
          Aug 31 21:48:22	php		/etc/rc.packages: Beginning package installation for freeradius2 .
          Aug 31 21:48:22	pkg		freeradius-2.2.9 installed
          Aug 31 21:45:42	pkg		freeradius3-3.0.15 deinstalled
          Aug 31 21:45:42	pkg		pfSense-pkg-freeradius3-0.15 deinstalled
          Aug 31 21:45:40	php		/etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
          Aug 31 21:42:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:41:33	pkg		pfSense-pkg-freeradius3-0.15 installed
          Aug 31 21:41:33	php		/etc/rc.packages: Successfully installed package: freeradius3.
          Aug 31 21:41:31	php		/etc/rc.packages: Beginning package installation for freeradius3 .
          Aug 31 21:41:31	pkg		freeradius3-3.0.15 installed
          Aug 31 21:41:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:40:47	pkg		freeradius3-3.0.15 deinstalled
          Aug 31 21:40:47	pkg		pfSense-pkg-freeradius3-0.15 deinstalled
          Aug 31 21:40:45	php		/etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
          Aug 31 21:40:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:39:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:38:24	pkg		pfSense-pkg-freeradius3 reinstalled: 0.15 -> 0.15
          Aug 31 21:38:24	php		/etc/rc.packages: Successfully installed package: freeradius3.
          Aug 31 21:38:23	php		/etc/rc.packages: Beginning package installation for freeradius3 .
          Aug 31 21:38:22	php		/etc/rc.packages: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
          Aug 31 21:38:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:37:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:36:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:35:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:34:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:32:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:31:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:30:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:29:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:28:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:27:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:26:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:25:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:24:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:23:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:22:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:21:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:20:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:19:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:18:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:17:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:16:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:15:00	php-cgi		servicewatchdog_cron.php: Service Watchdog detected service radiusd stopped. Restarting radiusd (FreeRADIUS Server)
          Aug 31 21:14:13	pkg		pfSense-pkg-freeradius3-0.15 installed
          Aug 31 21:14:13	php		/etc/rc.packages: Successfully installed package: freeradius3.
          Aug 31 21:14:12	php		/etc/rc.packages: Beginning package installation for freeradius3 .
          Aug 31 21:14:12	pkg		freeradius3-3.0.15 installed
          Aug 31 21:14:08	pkg		freeradius-2.2.9 deinstalled
          Aug 31 21:14:08	pkg		pfSense-pkg-freeradius2-1.7.9 deinstalled
          
          
          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned last edited by

            Run

            
            radiusd -X
            
            

            from console and post the output.

            1 Reply Last reply Reply Quote 0
            • P
              PFbest last edited by

              @doktornotor:

              Run

              
              radiusd -X
              
              

              from console and post the output.

              Huge thanks man! ;D ;D ;D
              Got this from console
              Guess I could dive into those files, my guess is it's due to upgrade?
              The conf file must be from V2, so probably it's not compatible with V3?
              :)

              FreeRADIUS Version 3.0.15
              Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
              There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
              PARTICULAR PURPOSE
              You may redistribute copies of FreeRADIUS under the terms of the
              GNU General Public License
              For more information about these matters, see the file named COPYRIGHT
              Starting - reading configuration files ...
              including dictionary file /usr/local/share/freeradius/dictionary
              including dictionary file /usr/local/share/freeradius/dictionary.dhcp
              including dictionary file /usr/local/share/freeradius/dictionary.vqp
              including dictionary file /usr/local/etc/raddb/dictionary
              including configuration file /usr/local/etc/raddb/radiusd.conf
              including configuration file /usr/local/etc/raddb/clients.conf
              /usr/local/etc/raddb/clients.conf[20]: Parse error after "f": unexpected token "<"
              Errors reading or parsing /usr/local/etc/raddb/radiusd.conf
              
              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned last edited by

                What's in /usr/local/etc/raddb/clients.conf? (line 20, but post some context as well).

                1 Reply Last reply Reply Quote 0
                • P
                  PFbest last edited by

                  @doktornotor:

                  What's in /usr/local/etc/raddb/clients.conf? (line 20, but post some context as well).

                  mmmm, Interesting

                  line 20 is this: secret = A<103.,c-!:@=1;d,f<@># <dkg1nc-1<br>It must be improper character escape bug I assume? Since it's working under V2
                  ;)</dkg1nc-1<br>

                  1 Reply Last reply Reply Quote 0
                  • P
                    PFbest last edited by

                    Fixed secret, now I have new error with radiusd -X

                    tls: Failed reading Trusted root CA list "/usr/local/etc/raddb/certs/ca_cert.pem"
                    tls: error:0906D066:PEM routines:PEM_read_bio:bad end line
                    tls: error:0B084009:x509 certificate routines:X509_load_cert_crl_file:PEM lib
                    rlm_eap_tls: Failed initializing SSL context
                    rlm_eap (EAP): Failed to initialise rlm_eap_tls
                    /usr/local/etc/raddb/mods-enabled/eap[2]: Instantiation failed for module "eap"
                    

                    :o

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned last edited by

                      No idea what you have there in ca_cert.pem. It's supposed to end with

                      
                      -----END CERTIFICATE-----
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • P
                        PFbest last edited by

                        @doktornotor:

                        No idea what you have there in ca_cert.pem. It's supposed to end with

                        
                        -----END CERTIFICATE-----
                        
                        

                        Weird, my CA was the default one, generated when pfsense was installed

                        1 Reply Last reply Reply Quote 0
                        • P
                          PFbest last edited by

                          Interesting.

                          After dig into the CA.

                          I found that the CA file was cut off at the end, like several lines are missing.

                          After I copied back the complete CA content, everything rocks again.Ā  ;D ;D

                          That's something new to know I guess.

                          Thanks very much guys!

                          Cheers!!!

                          1 Reply Last reply Reply Quote 0
                          • D
                            doktornotor Banned last edited by

                            OK… No idea how the CA file got corrupted, the package just uses whatever is saved as a selected CA certificate in config.xml.

                            1 Reply Last reply Reply Quote 0
                            • P
                              PFbest last edited by

                              @doktornotor:

                              OK… No idea how the CA file got corrupted, the package just uses whatever is saved as a selected CA certificate in config.xml.

                              I know, it's weird.
                              I don't even know when it gets corrupted.
                              At least now I know there is one more thing need to be aware of when freeradius goes wrong.

                              ;)

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned last edited by

                                One more thing - can you test the shared secret like this?

                                'A<103.,c-!:@=1;d,f<@># <dkg1nc-1'<br>(Save and check whether RADIUS is still running.)</dkg1nc-1'<br>

                                1 Reply Last reply Reply Quote 0
                                • P
                                  PFbest last edited by

                                  @doktornotor:

                                  One more thing - can you test the shared secret like this?

                                  'A<103.,c-!:@=1;d,f<@># <dkg1nc-1'<br>(Save and check whether RADIUS is still running.)</dkg1nc-1'<br>

                                  Like put exactly 'A<103.,c-!:@=1;d,f<@>#

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    doktornotor Banned last edited by

                                    Yes.

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      PFbest last edited by

                                      @doktornotor:

                                      Yes.

                                      Errrr, guess it won't work?
                                      Cause it's over 31 characters :o

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned last edited by

                                        It should still stay 31 characters, just avoid the misparsing issues. See man unlang regarding the single quotes. The single quotes shouldn't count as part of the secret.

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          PFbest last edited by

                                          @doktornotor:

                                          It should still stay 31 characters, just avoid the misparsing issues. See man unlang regarding the single quotes. The single quotes shouldn't count as part of the secret.

                                          Ummmmmm
                                          It returns error as in image


                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned last edited by

                                            Eh, well… edit this line to 33. I just wanted you to test whether it stops breaking the config, that's all.

                                            1 Reply Last reply Reply Quote 0
                                            • P
                                              PFbest last edited by

                                              @doktornotor:

                                              Eh, well… edit this line to 33. I just wanted you to test whether it stops breaking the config, that's all.

                                              Cool, tested.
                                              Results are:

                                              | freeradius | ap | Results |
                                              | 'A<103.,c-!:@=1;d,f<@># | 'A<103.,c-!:@=1;d,f<@># | Fail |
                                              | 'A<103.,c-!:@=1;d,f<@># | A<103.,c-!:@=1;d,f<@># | Pass |

                                              1 Reply Last reply Reply Quote 0
                                              • D
                                                doktornotor Banned last edited by

                                                Yes, as said, the secret does not really change. I'll do a PR to add single quotes around the secret automatically so that you can input it without quotes in both the AP and pfSense.

                                                https://redmine.pfsense.org/issues/7836
                                                https://github.com/pfsense/FreeBSD-ports/pull/415

                                                1 Reply Last reply Reply Quote 0
                                                • P
                                                  PiBa last edited by

                                                  Thanks doktornotor 8)
                                                  One question though, can a single quote (or backslash) be part of the secret? And if so, should it also be escaped.?.
                                                  Found this http://networkradius.com/doc/3.0.10/raddb/syntax/data_string.html but not sure its about the exact same software.

                                                  Example
                                                  'a string with spaces'
                                                  'a string with \'quotes\' in it'
                                                  'a string with a backslash \\ in it'
                                                  

                                                  Um ok, reading your pullrequest while writing this i realize your asking the enduser to do this, but then the check for 31 characters should perhaps also allow more characters.?. Wouldnt it be easier to let the code writing the config file do the proper escaping?

                                                  1 Reply Last reply Reply Quote 0
                                                  • D
                                                    doktornotor Banned last edited by

                                                    There are tons of places in pfSense where the code won't work as expected when doing things like putting various UTF-8 accented chars, or even multibyte characters into passwords, secrets and other settings since it either breaks config.xml or strlen() and other non mb_ prefixed functions don't handle this.

                                                    https://redmine.pfsense.org/issues/7186
                                                    https://redmine.pfsense.org/issues/7423
                                                    https://redmine.pfsense.org/issues/7623

                                                    The field in freeradiusclients.xml is not base64-encoded because it wasn't possible with XML and pasword-type field. Now, when you attempt to use some functions to automatically escape/replace things with those non-encoded strings, you run into things like this one. When you switch the field to use base64, you need to write code to upgrade the config automatically on installing the next package version.

                                                    Afraid someone else will need to do the job since I frankly think that people that insist on shooting themselves in the foot need to pick up the pieces. (I recall a couple of threads here where people were complaining that putting a carriage return character in password makes their life miserable with password prompts…  ::))

                                                    1 Reply Last reply Reply Quote 0
                                                    • D
                                                      doktornotor Banned last edited by

                                                      And one final thing - the idea to "let the code writing the config file do the proper escaping" is very cool until you run into a genius who invents a secret like f#$k'1t and you don't know whether he meant to escape the ' or literally use 'Ā  :-X

                                                      1 Reply Last reply Reply Quote 0
                                                      • P
                                                        PiBa last edited by

                                                        Ok the ' and \ aren't 'very special' like some of the other examples you provide, but i get the point ;D
                                                        Having a carriage return in a password must be very secure i havn't thought about using that in any my passwords sofar ;).

                                                        imho in general escaping in config files should be done by 'the software', and if a genius did it manually, then i suppose thats to bad for them when pfSense gets 'fixed'. Cant expect the enduser to know/lookup every escape sequence for each piece of software used by pfSense. So your patch certainly helps make that clear for this field. But i guess my point is made :)

                                                        Lets wait for someone to run into it and then perhaps take another look.

                                                        1 Reply Last reply Reply Quote 0
                                                        • P
                                                          PFbest last edited by

                                                          @doktornotor:

                                                          Yes, as said, the secret does not really change. I'll do a PR to add single quotes around the secret automatically so that you can input it without quotes in both the AP and pfSense.

                                                          https://redmine.pfsense.org/issues/7836
                                                          https://github.com/pfsense/FreeBSD-ports/pull/415

                                                          Cool! ;)

                                                          Thanks! ;D

                                                          1 Reply Last reply Reply Quote 0
                                                          • D
                                                            doktornotor Banned last edited by

                                                            @PiBa:

                                                            i realize your asking the enduser to do this, but then the check for 31 characters should perhaps also allow more characters.?

                                                            Actually I'd say it works properly as is:

                                                            
                                                            $post['varclientsharedsecret'] = '0123456789\\\\0123456789\\0123456789\\\\\'\'\'';
                                                            echo $post['varclientsharedsecret'];
                                                            echo "\n";
                                                            echo strlen($post['varclientsharedsecret']);
                                                            
                                                            

                                                            Result:

                                                            
                                                            0123456789\\0123456789\0123456789\\'''
                                                            38
                                                            
                                                            

                                                            Now, consider trying to match/escape things (meant as literal unescaped string) such as \' properly:

                                                            preg_match_all("/[\\\](?!\\'){1}/", $post['varclientsharedsecret'])
                                                            

                                                            just to match a single \ while avoiding hitting the "escaped" ' if it follows. Oooops shit… Well I'd say the escaping it way better left to users.

                                                            1 Reply Last reply Reply Quote 0
                                                            • First post
                                                              Last post