Radius PHP Errors after 2.4.4 Update

  • Starting from 2.3.4_p1 I removed all packages and started the upgrade via webadmin.
    The process did not show any errors and finished with "Success"

    After arround 10 minutes I could ping the pfsense and connectivity was up.

    Unfortunately I can not login into the webadmin.

    Fatal error: Error converting Address in /usr/local/share/pear/Auth/RADIUS.php on line 218 PHP ERROR: Type: 1, File: /usr/local/share/pear/Auth/RADIUS.php, Line: 218, Message: Error converting Address

    I connected to the usb console and tried a second run

    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade
    pkg-static upgrade -f

    Still no obvious error during the process. pfsense is "working" except the missing access to webadmin

    any ideas?

  • I could not solve it but I could upgrade without radius enabled. Here is what I tried

    • reinstall 2.4.4 and restoring config => no luck
    • reinstall 2.4.3 and upgrading with an admin that is not in radius => no luck
    • reinstall 2.4.3 disabling radius and upgrade => success

    I assume there is a bug in the radius portion of pfsense

  • Rebel Alliance Developer Netgate

    What do you have the IP address of the RADIUS server set to in the authentication servers entry?

    We saw this last week when someone had incorrectly put two IP addresses into the box for the server address. That was not intended to be allowed, and does not work with the new RADIUS library.

  • @jimp only one IP address in fqdn format

  • Rebel Alliance Developer Netgate

    Does it work if you change that to an IP address?

  • Actually I will have to find the time to test ist. currently I am happy that I can use a local admin. But I hope I will be able to test in in the next two weeks

  • The solution is:
    Comment out line 218 in File: /usr/local/share/pear/Auth/RADIUS.php
    After that, go to the web console
    System - User Manager - Authentication Servers
    Edit RADIUS
    click apply
    Uncoment line 218 in /usr/local/share/pear/Auth/RADIUS.php
    After that, enjoy the working version and do not forget to backup.

  • For the record @Prorvazz 's solution appears to have done the trick.

    There was no "click apply" for the settings involved, but I did go into both of the Radius servers I have configured, changed the NAS IP Address to the loopback (just because I had configured it, and never selected it for Radius)... I expect going in and making no change, and hitting save would have accomplished the same goal.

    I then removed the comment from line 218 logged out, and logged back in using a locally configured admin account. It tried Radius, then logged me in (fallback to local).

    In case someone comes across this @Prorvazz solution is a viable work-around.

  • Through a packet capture on interface facing the radius server, I found that the ip address was malformed and radius server was dropping the access-request packet. This was a great discovery, as I found the line 218 in radius.php file is not the problem. I have been asking for NAS-IP-ADDRESS support in the Radius client for what seems like years. They finally added it to the Radius process as a valid attribute, but from what I can tell, it defaults to the WAN interface, which for me also happened to be dhcp. With the services starting and dhcp not yet available, the line 218 failed to find the dhcp address and in return failed on line 218.

    Fix: Assign the interface facing the Radius server as the NAS-IP-ADDRESS, which is most likely your LAN interface and should be "static". This change should be done under System>User Manager > Authentication Servers > (edit) Radius Server> Choose NAS-IP-ADDRESS interface from drop down menu.

    Note** Traffic from FW Radius Client sources from the egressing interface of firewall. This ip address does not have to match the NAS-IP-ADDRESS, but should be same for ease of configuration on Radius Server.

Log in to reply