PFSense 2.4.4_1 Authentication failed



  • Hello,

    I just upgrade my SG-3100 to 2.4.4_1.
    Every package is running.
    I am using the PAP protocol on my new Authentication Server.
    For each new connection, I am using an OTP system and sending the password to a user with SMS.
    But when the user tries to connect the internet it fails.
    0_1545659504698_sorun_1.png

    0_1545659552509_sorun_3.png

    BTW, I have more than 10 devices and each one have the problem.


  • Rebel Alliance

    Radius Authentication didn't changed between 2.4.4 and 2.4.4_1

    Could you paste here the logs of your RADIUS server?



  • @free4 First of all thank you. Here my logs:

    Tue Dec 25 12:02:18 2018 : Info: Debugger not attached
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql_mysql: libmysql version: 5.6.41
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Attempting to connect to database "radiusdashboard"
    Tue Dec 25 12:02:18 2018 : Warning: WARNING: Ignoring "spare = 10", forcing to "spare = 2"
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Opening additional connection (0), 1 of 5 pending slots used
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Opening additional connection (1), 1 of 4 pending slots used
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Opening additional connection (2), 1 of 3 pending slots used
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Opening additional connection (3), 1 of 2 pending slots used
    Tue Dec 25 12:02:18 2018 : Info: rlm_sql (sql1): Opening additional connection (4), 1 of 1 pending slots used
    Tue Dec 25 12:02:18 2018 : Warning: [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
    Tue Dec 25 12:02:18 2018 : Warning: [/usr/local/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
    Tue Dec 25 12:02:18 2018 : Info: Loaded virtual server <default>
    Tue Dec 25 12:02:18 2018 : Info: Loaded virtual server default
    Tue Dec 25 12:02:18 2018 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
    Tue Dec 25 12:02:18 2018 : Warning: Ignoring "ldap" (see raddb/mods-available/README.rst)
    Tue Dec 25 12:02:18 2018 : Info: # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel-ttls:63
    Tue Dec 25 12:02:18 2018 : Info: Loaded virtual server inner-tunnel-ttls
    Tue Dec 25 12:02:18 2018 : Info: # Skipping contents of 'if' as it is always 'false' -- /usr/local/etc/raddb/sites-enabled/inner-tunnel-peap:63
    Tue Dec 25 12:02:18 2018 : Info: Loaded virtual server inner-tunnel-peap
    Tue Dec 25 12:02:18 2018 : Info: Ready to process requests
    Tue Dec 25 12:03:15 2018 : Info: rlm_sql (sql1): Closing connection (1), from 3 unused connections
    Tue Dec 25 12:03:15 2018 : Auth: (0) Login incorrect (Failed retrieving values required to evaluate condition): [5342697929] (from client test_1 port 2020 cli 78:4b:87:55:ab:25)
    Tue Dec 25 12:04:04 2018 : Info: rlm_sql (sql1): Closing connection (3): Hit idle_timeout, was idle for 106 seconds
    Tue Dec 25 12:04:04 2018 : Info: rlm_sql (sql1): Closing connection (4): Hit idle_timeout, was idle for 106 seconds
    Tue Dec 25 12:04:04 2018 : Info: Need 1 more connections to reach min connections (3)
    Tue Dec 25 12:04:04 2018 : Info: rlm_sql (sql1): Opening additional connection (5), 1 of 3 pending slots used
    Tue Dec 25 12:04:04 2018 : Auth: (1) Login incorrect (Failed retrieving values required to evaluate condition): [5342697929] (from client test_1 port 2020 cli 78:4b:87:55:ab:25)



  • The interesting parts is this :
    Auth: (0) Login incorrect (Failed retrieving values required to evaluate condition): [5342697929] (from client test_1 port 2020 cli 78:4b:87:55:ab:25)

    The rest is the usual bla-bla.

    Your log mentions "client test_1".
    Your images mention "test_2"


  • Rebel Alliance

    Auth: (0) Login incorrect (Failed retrieving values required to evaluate condition):

    This usually mean an incorrect RADIUS shared secret
    Could you verify it?

    Also, there was no changes in the way RADIUS authentication works between 2.4.4 and 2.4.4_1....but there were big changes on authentication between 2.4.3 and 2.4.4. Did you updated from 2.4.3 ? If yes, are you using Calling-Station-ID /Called-Station-ID anywhere in your RADIUS config?

    These attributes were containing IP addresses in 2.4.3. They now contain MAC addesses (in order to comply with rfc3580).



  • @gertjan test_1 is the name of Captive Portal, test_2 is the name of Authentication Servers.



  • @free4 said in PFSense 2.4.4_1 Authentication failed:

    verify

    I verified it they are totally same


  • Rebel Alliance

    @deniz-sahan did you update from 2.4.3?



  • @free4 said in PFSense 2.4.4_1 Authentication failed:

    did you update from 2.4.3?

    I updated it from 2.4.4


Log in to reply