Captive Portal Error

AYSMAN · Feb 5, 2021, 3:00 AM

Hi,
has anyone encountered this particular issue with Freeradius3 0.15.7_27 with MySQL when a user tries to authenticate using username/password
"(0) Login incorrect (Failed retrieving values required to evaluate condition): [myuser/mypassword] (from client Firewall.pfsense port 0)"

I have other deployments of pfsense with freeradius and mysql authentication using the exact same config. which are working fine. The only difference i see is the freeradius package version in pfsense which is 0.15.7_20.

Thanks in Advance

viktor_g · Feb 8, 2021, 2:13 AM

@aysman Please update FreeRADIUS pkg to the latest version
see https://redmine.pfsense.org/issues/11054#note-4

AYSMAN · Feb 8, 2021, 2:13 AM

@viktor_g said in Captive Portal Error:

https://redmine.pfsense.org/issues/11054#note-4

Hi @viktor_g Thanks for your reply. I'm already using the latest version 0.15.7_27 from the pfsense package list

Gertjan · Feb 8, 2021, 6:11 AM

@aysman

To see all the details, also why thing go wrong :
Stop Radius in the GUI.
Open a console or SSH, option 8.
Type

radiusd -X

Enjoy.

AYSMAN · Feb 9, 2021, 6:58 AM

Hi @gertjan Here's the debug log i got

Ready to process requests

(0) Received Access-Request Id 98 from 172.16.100.1:12399 to 172.16.100.1:1812 length 162
(0)   Service-Type = Login-User
(0)   User-Name = "SERVO"
(0)   User-Password = "SERVO"
(0)   NAS-IP-Address = 172.16.100.1
(0)   NAS-Identifier = "CaptivePortal-guestwifi"
(0)   Calling-Station-Id = "a2:e2:c9:cb:1b:d5"
(0)   Called-Station-Id = "00:e0:4c:62:fa:80:ServoOffice.firewall.ph"
(0)   NAS-Port-Type = Ethernet
(0)   NAS-Port = 2018
(0)   Framed-IP-Address = 172.16.100.2
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
(0)   authorize {
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "SERVO", skipping NULL due to config.
(0)     [suffix] = noop
(0) ntdomain: Checking for prefix before "\"
(0) ntdomain: No '\' in User-Name = "SERVO", skipping NULL due to config.
(0)     [ntdomain] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     if ((notfound || noop) && (&control:Auth-Type != Accept)) {
(0)     ERROR: Failed retrieving values required to evaluate condition
(0) dailycounter: WARNING: Couldn't find check attribute, control:Max-Daily-Session, doing nothing...
(0)     [dailycounter] = noop
(0) monthlycounter: WARNING: Couldn't find check attribute, control:Max-Monthly-Session, doing nothing...
(0)     [monthlycounter] = noop
(0) noresetcounter: WARNING: Couldn't find check attribute, control:Max-All-Session, doing nothing...
(0)     [noresetcounter] = noop
(0) expire_on_login: WARNING: Couldn't find check attribute, control:Expire-After, doing nothing...
(0)     [expire_on_login] = noop
(0)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(0)     ERROR: Failed retrieving values required to evaluate condition
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(0)   Post-Auth-Type REJECT {
(0)     redundant sql {
(0) sql1: EXPAND .query
(0) sql1:    --> .query
(0) sql1: Using query template 'query'
rlm_sql (sql1): Reserved connection (1)
(0) sql1: EXPAND %{User-Name}
(0) sql1:    --> SERVO
(0) sql1: SQL-User-Name set to 'SERVO'
(0) sql1: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')
(0) sql1:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'SERVO', 'SERVO', 'Access-Reject', '2021-02-09 14:55:43')
(0) sql1: EXPAND /var/log/sqltrace.sql
(0) sql1:    --> /var/log/sqltrace.sql
(0) sql1: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'SERVO', 'SERVO', 'Access-Reject', '2021-02-09 14:55:43')
(0) sql1: SQL query returned: success
(0) sql1: 1 record(s) updated
rlm_sql (sql1): Released connection (1)
(0)       [sql1] = ok
(0)     } # redundant sql = ok
(0) attr_filter.access_reject: EXPAND %{User-Name}
(0) attr_filter.access_reject:    --> SERVO
(0) attr_filter.access_reject: Matched entry DEFAULT at line 11
(0)     [attr_filter.access_reject] = updated
(0)     [eap] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # Post-Auth-Type REJECT = updated
(0) Login incorrect (Failed retrieving values required to evaluate condition): [SERVO/SERVO] (from client ServoOffice.firewall.ph port 2018 cli a2:e2:c9:cb:1b:d5)
(0) Delaying response for 1.000000 seconds
Waking up in 0.2 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sent Access-Reject Id 98 from 172.16.100.1:1812 to 172.16.100.1:12399 length 20
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 98 with timestamp +21
Ready to process requests

Gertjan · Feb 9, 2021, 7:08 AM

This is the part you should look up :

@aysman said in Captive Portal Error:

(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available

Btw : The mysql communication works.

AYSMAN · Feb 9, 2021, 7:12 AM

Hi @gertjan
Yes, I think Mysql Integration works too. I've tried to google that error message but haven't found any solid resolution yet. My other pfsense + radius + mysql deployments with the exact same config works only this particular version of freeradius package encounters this error

Gertjan · Feb 9, 2021, 7:37 AM

Another one :

@aysman said in Captive Portal Error:

ERROR: Failed retrieving values required to evaluate condition

this is the one where the user is found / identified, when I'm seeing this :

(17) eap: No EAP-Message, not doing EAP
(17) [eap] = noop
(17) files: users: Matched entry DEFAULT at line 1
(17) files: users: Matched entry x at line 388
(17) [files] = ok

Instead of your :

(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop

I'm using the GUI Package > FreeRADIUS : Users > Users page to enter my users.
You are using, I guess, something diffferent ?
It looks like Freeradius can't access you 'list with users'.

AYSMAN · Feb 9, 2021, 7:52 AM

@gertjan I'm Using MySQL as database that contain my list of users including user attributes. Not an expert reading these logs correct me if Im wrong, but from what I understand is that freeradius is "ignoring" the myqsl connection for the users

AYSMAN · Feb 9, 2021, 7:55 AM

Hi @gertjan just to counter check, I tried using freeradius3 + MySQL as backend hosted in my ubuntu server then configure pfsense captive portal to authenticate users to my external freeradius server, everything works fine.

viktor_g · Feb 9, 2021, 7:59 AM

@aysman Try to create 'dumb' user on the FreeRADIUS / Users page and check again with radiusd -X

Gertjan · Feb 9, 2021, 8:14 AM

That's what I'm using :
FreeRadius 0.15.7_27 and a MariaDB (== a mysql variant) on a server on my LAN to authentify captive portal users.

I never used this :

login-to-view

@viktor_g said in Captive Portal Error:

Try to create 'dumb' user on the FreeRADIUS / Users page and check again with radiusd -X

Info : This "dumb" user will get stored in a file /usr/local/etc/raddb/mods-config/files/authorize (not the database).

viktor_g · Feb 9, 2021, 9:15 AM

@aysman Please check this:

killall radiusd
open /usr/local/etc/raddb/sites-enabled/default
and replace if ((notfound || noop) && (&control:Auth-Type != Accept)) {
with if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
run radiusd -X and check authentication again

Gertjan · Feb 9, 2021, 9:52 AM

@viktor_g

This works ..... but :
I had to :

#	files
#	if ((notfound || noop) && (&control:Auth-Type != Accept)) {
	if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {

=> I exclude 'files' altogether.
Now the 'radcheck' table is questionned :

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
(0)        --> No-Accept
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
(0)       redundant sql {
(0) sql1: EXPAND %{User-Name}
(0) sql1:    --> test
(0) sql1: SQL-User-Name set to 'test'
rlm_sql (sql1): Reserved connection (1)
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id
(0) sql1: User found in radcheck table
(0) sql1: Conditional check items matched, merging assignment check items
(0) sql1:   Cleartext-Password := "test"
(0) sql1: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id
(0) sql1:    --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
(0) sql1: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id
rlm_sql (sql1): Reserved connection (2)
rlm_sql (sql1): Released connection (2)
(0) sql1: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(0) sql1:    --> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql1: Executing select query: SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority
(0) sql1: User not found in any groups
rlm_sql (sql1): Released connection (1)
(0)         [sql1] = ok
(0)       } # redundant sql = ok
(0)       if (notfound || noop) {
(0)       if (notfound || noop)  -> FALSE
(0)     } # if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  = ok

I had a 'test' user set up :

login-to-view

With

files

in place,
your

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

yields a "FALSE, so the 'sql' block isn't executed.

(that what I make of it).

viktor_g · Feb 9, 2021, 10:18 AM

@gertjan said in Captive Portal Error:

With
files

in place,
your
if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))

yields a "FALSE, so the 'sql' block isn't executed.
(that what I make of it).

This is correct because it finds the "test" user in the files backend.
It checks files, sql and ldap backends sequentially.

Redmine issue created: https://redmine.pfsense.org/issues/11388

Gertjan · Feb 9, 2021, 11:19 AM

@viktor_g said in Captive Portal Error:

This is correct because it finds the "test" user in the files backend.

I did not (do not) have a 'test' user set up in the pfSense GUI - only in the 'radcheck' MYSQL table.

Done on purpose, to see if the auth would fall through to 'radcheck testing' if no result was found in the 'files' (pfSense GUI).

viktor_g · Feb 9, 2021, 2:11 PM

@gertjan in this case it should bypass files backend,
my test (raduser1 in ldap backend, test1 user in files backend) with this patch:

raduser1 (ldap):

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0)     [files] = noop
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(0)     EXPAND %{%{Control:Auth-Type}:-No-Accept}
(0)        --> No-Accept
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> TRUE
(0)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  {
(0)       if (true) {
(0)       if (true)  -> TRUE
(0)       if (true)  {
(0)         redundant {
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (0), 1 of 5 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
rlm_ldap (ldap): Reserved connection (0)
(0) ldap: EXPAND (uid=%{%{Stripped-User-Name}:-%{User-Name}})
(0) ldap:    --> (uid=raduser1)
(0) ldap: Performing search in "cn=accounts,dc=pand,dc=int" with filter "(uid=raduser1)", scope "sub"
(0) ldap: Waiting for search result...
(0) ldap: User object found at DN "uid=raduser1,cn=users,cn=accounts,dc=pand,dc=int"
(0) ldap: Processing user attributes
(0) ldap: WARNING: No "known good" password added. Ensure the admin user has permission to read the password attribute
(0) ldap: WARNING: PAP authentication will *NOT* work with Active Directory (if that is what you were trying to configure)
rlm_ldap (ldap): Released connection (0)
Need 4 more connections to reach min connections (5)
rlm_ldap (ldap): Opening additional connection (1), 1 of 4 pending slots used
rlm_ldap (ldap): Connecting to ldap://192.168.88.91:389
rlm_ldap (ldap): Waiting for bind result...
rlm_ldap (ldap): Bind successful
(0)           [ldap] = ok

test1 (files):

1) eap: No EAP-Message, not doing EAP
(1)     [eap] = noop
(1) files: users: Matched entry test1 at line 2
(1)     [files] = ok
(1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
(1)     if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept"))  -> FALSE
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [daily] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [weekly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [monthly] = noop
rlm_counter: Entering module authorize code
rlm_counter: Could not find Check item value pair
(1)     [forever] = noop
(1)     if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
(1)     ERROR: Failed retrieving values required to evaluate condition
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = updated
(1)   } # authorize = updated

Gertjan · Feb 9, 2021, 2:11 PM

@viktor_g :

Wait : your logs handle a 'files' and/or 'ldap'.
I'm using 'files' and 'sql1' (using the table 'radcheck' etc).

@AYSMAN didn't mention 'ldap'.

viktor_g · Feb 9, 2021, 3:10 PM

@gertjan Yes, but it uses the same logic (see /usr/local/etc/raddb/sites-enabled/default)

files + ldap:

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
                        ### sql DISABLED ###
        if (true) {                     
          redundant {
          ldap
          # this line adds ldap2 when activated
         ### ldap2 disabled ###
        }
    if (notfound || noop) {
          reject
    }
 }
}

files + sql:

if ((notfound || noop) && ("%{%{Control:Auth-Type}:-No-Accept}" != "Accept")) {
         redundant sql {
                sql1
                ### sql2 DISABLED ###
        }
        if (notfound || noop) {
                        ### ldap ###
                        if (notfound || noop) {
                                reject
                       }
        }
 }

AYSMAN · Feb 10, 2021, 3:30 AM

@viktor_g Already tested this, Its working just fine with no errors