Radius PHP Errors after 2.4.4 Update
Starting from 2.3.4_p1 I removed all packages and started the upgrade via webadmin.
The process did not show any errors and finished with "Success"
After arround 10 minutes I could ping the pfsense and connectivity was up.
Unfortunately I can not login into the webadmin.
Fatal error: Error converting Address in /usr/local/share/pear/Auth/RADIUS.php on line 218 PHP ERROR: Type: 1, File: /usr/local/share/pear/Auth/RADIUS.php, Line: 218, Message: Error converting Address
I connected to the usb console and tried a second run
pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade pkg-static upgrade -f reboot
Still no obvious error during the process. pfsense is "working" except the missing access to webadmin
I could not solve it but I could upgrade without radius enabled. Here is what I tried
- reinstall 2.4.4 and restoring config => no luck
- reinstall 2.4.3 and upgrading with an admin that is not in radius => no luck
- reinstall 2.4.3 disabling radius and upgrade => success
I assume there is a bug in the radius portion of pfsense
What do you have the IP address of the RADIUS server set to in the authentication servers entry?
We saw this last week when someone had incorrectly put two IP addresses into the box for the server address. That was not intended to be allowed, and does not work with the new RADIUS library.
@jimp only one IP address in fqdn format
Does it work if you change that to an IP address?
Actually I will have to find the time to test ist. currently I am happy that I can use a local admin. But I hope I will be able to test in in the next two weeks
The solution is:
Comment out line 218 in File: /usr/local/share/pear/Auth/RADIUS.php
After that, go to the web console
System - User Manager - Authentication Servers
Uncoment line 218 in /usr/local/share/pear/Auth/RADIUS.php
After that, enjoy the working version and do not forget to backup.
Pack3tL0ss last edited by Pack3tL0ss
For the record @Prorvazz 's solution appears to have done the trick.
There was no "click apply" for the settings involved, but I did go into both of the Radius servers I have configured, changed the NAS IP Address to the loopback (just because I had configured it, and never selected it for Radius)... I expect going in and making no change, and hitting save would have accomplished the same goal.
I then removed the comment from line 218 logged out, and logged back in using a locally configured admin account. It tried Radius, then logged me in (fallback to local).
In case someone comes across this @Prorvazz solution is a viable work-around.
Through a packet capture on interface facing the radius server, I found that the ip address was malformed and radius server was dropping the access-request packet. This was a great discovery, as I found the line 218 in radius.php file is not the problem. I have been asking for NAS-IP-ADDRESS support in the Radius client for what seems like years. They finally added it to the Radius process as a valid attribute, but from what I can tell, it defaults to the WAN interface, which for me also happened to be dhcp. With the services starting and dhcp not yet available, the line 218 failed to find the dhcp address and in return failed on line 218.
Fix: Assign the interface facing the Radius server as the NAS-IP-ADDRESS, which is most likely your LAN interface and should be "static". This change should be done under System>User Manager > Authentication Servers > (edit) Radius Server> Choose NAS-IP-ADDRESS interface from drop down menu.
Note** Traffic from FW Radius Client sources from the egressing interface of firewall. This ip address does not have to match the NAS-IP-ADDRESS, but should be same for ease of configuration on Radius Server.