NEW Package: freeRADIUS 2.x

Nachtfalke

This could/should be the offical thread for the new freeRADIUS 2.x package.
At the moment it is ALPHA status and based on the freeRADIUS 1.1.8 package. There are just some radiusd.conf syntax fixes to fit the freeRADIU2 syntax.

This package is based on freeRADIUS 2.1.12.

In the future there should be more options configurable from the GUI and some reorganisation of the .inc and .xml files.

ATTENTION:
At the moment the packages freeradius and freeradius2 are using the same config files. Please do not install both at the same time and please do not use on productiv systems before you save your config.

Feedback would be nice because I could not test this package till now. So feedback to hopfully working basic options would be nice, too.

I will update this thread in the future.

ptt

@Nachtfalke:

ATTENTION:
At the moment the packages freeradius and freeradius2 are using the same config files. Please do not install both at the same time and please do not use on productiv systems before you save your config.

Just one small cosmetic thing, change your "warning" to: please do not use in production systems

Nachtfalke

Strange - I could not modify my post.
But I changed the description on the package GUI of pfsense ;o)

I am sure there will be further mistakes in the future but english isn't my native language.

ptt

New FreeRadius2 doesn't start, in system logs i get this:


Dec 5 19:15:32 	php: : Not calling package sync code for dependency freeradiussettings of freeradius2 because some include files are missing.
Dec 5 19:15:32 	php: : Not calling package sync code for dependency freeradiusclients of freeradius2 because some include files are missing.
Dec 5 19:15:30 	php: : Restarting/Starting all packages.

But the old FreeRadius version starts OK

Nachtfalke

I have got these problems on freeradius and freeradius2.
But only after reboot of pfsense.
I pushed a fix for freeradius2.

Try with package version 0.3

Nachtfalke

I updated freeradius2 from 0.3 ALPHA up to 1.0 BETA.

The freeradius2 package should now have all the features that freeradius has and some improvements.

New freeradius2 features:

IPv6 for clients and listening interfaces
select different interfaces for different tasks (auth, acct, proxy, status, detail, CoA)
additional parameters added in settings
enable server to run in threaded mode

gionag

hello,
I wanted to understand how to implement freeradius2 of a system that works with version 1.

Uninstalled the previous version and then installed version 2 the applications that worked now no longer work. Specifically, the authentication for openvpn road warriors no longer works. A log level I do not see things very useful. Just somthing about "0 packets in queue".

What are the steps to authenticate freeradius2 of openvpn? I have to do something different?

Summing up I set like this:

Services -> "freeradius"

User: test pass: test
NAS: 192.168.1.1 (ip of the router), ShortNome: pfSense, secret: testing

under "users" -> "server"
RADIUS: 192.168.1.1
Secret: test
description : Local Radius Server

under "openvpn"
Selected > Local Radius server

I've done something wrong?

thanks

(pfsense 2.0)

Nachtfalke

Hi,

I do not know, how to use OpenVPN RoadWarrior with RADIUS. Is there any tutorial ?
Generally I didn't change much in the background.

In the users tab I didn't change anything
The settings tab is the same as before just some different syntax for logging and some additional parameters but they are all at default.
In the client tab I had to change the syntax of the clients.conf to new freeradius2 version but the parameters are still the same.

Where I did many changes is the "interfaces" tab.
If you have one Interface (LAN) which should do authentication and accounting than you need two entries:

Interface IP: 192.168.100.1
Port: 1812
type: auth

Interface IP: 192.168.100.1
Port: 1813
type: acct

If radius should listen on any interface than you can use a * instead of the IP.
Not sure if * is listening on 127.0.0.1

PS: Further it would/could help if you delete all freeradius entries from your config.xml

/conf/config.xml

and reboot and reconfigure freeradius2.

Your old settings from freeradius1 are NOT compatible with freeradius2

gionag

also installed in a fresh installed system…
same problem

used * insted of the real ip...

Still testing

Nachtfalke

Hi,

I read short through this:
http://doc.pfsense.org/index.php/Using_OpenVPN_With_FreeRADIUS
This needs PAM authentication as far as I understand this.

I took a look at

/usr/local/pkg/freeradius.inc

And changed line 432:

#pam

to this line:

pam

Save the file and then go to the freeRADIUS GUI -> Settings -> Save and try again.

Nachtfalke

Hi,

I tested the freeRADIUS2 package with this tool:
http://www.novell.com/coolsolutions/tools/14377.html

The problem is the freeRADIUS. I think there are some bigger changes in module handling in the new radiusd.conf. We need to enable/link to the modules listed in the /usr/local/etc/raddb/sites-enabled/ directory.
In the old freeRADIUS 1.x configuration the modules were configured only in radiud.conf.
FreeRADIUS is starting and listening on requests but there seems to be no "Auth-type" selected so that the request could not be used with and authorization module.

If someone could/would fix that - don't hesitate. I will try as far as I found time. Next week I am on vacation and I think I will find some time to work on this problem and hopefully fix it.

Nachtfalke

@gionag
I could reproduce this error.
There was a bug in creating the "users" file. I think I fixed this so it should now authenticate fine.

Additional changes pkg v1.1.0 Beta:

Added some code which prevents that freeradius service isn't starting if interface typ is "detail"
Swaped authorize, authenticate, … sections from radiusd.conf to the correct place (/usr/local/etc/raddb/sites-enabled/default && /usr/local/etc/raddb/sites-enabled/inner-tunnel)

Nachtfalke

Updates: pkg v1.1.1:

disabled virtual-server "control-socket" which is experimental and if misconfigured a security issue
disabled module proxy because in most environments we do not need to proxy requests to another RADIUS PROXY server

Nachtfalke

Updates: pkg v1.2.0

Added GUI to configure eap.conf (EAP, EAP-TLS, EAP-TLS with OCSP support, EAP-TTLS, EAP-PEAP with MSCHAPv2

The GUI contains the by default "uncommented" options in the eap.conf

This authentication methods were tested and work:

PAP
CHAP
MSCHAP
EAP-MD5

Added "CDATA" for all <description>parts in .XML files.</description>

Nachtfalke

Updates: pkg v1.3.0

Added GUI to configure sql.conf
Just some small typo/cosmetic GUI fixes

–- edit ---
The GUI is working but I found out that the precompiled freeradius-2.1.12 package is not compiled with MySQL, PostgreSQL.
So there are modules (rlm_sql) missing. We need to build a package from source with additional build_options to support these features.
Help would be appreciated!

Further I would like to have LDAP and KERBEROS support so that we can build a GUI for connecting to LDAP and/or AD.

Nachtfalke

Updates: pkg v1.3.1

Some small fixes with empty variables after installation

Thank you marcelloc for your help!

Nachtfalke

Updates: pkg v1.3.2

Check and only enable virtual-server "coa" if there is a need from interface-type "coa"
Put virtual-server "default" into .inc file. We need this in future for LDAP, SQL and other modules

Nachtfalke

Updates: pkg v1.3.3

Adding tab to view config files.

@marcelloc: Thank you for that!

Nachtfalke

Updates: pkg v1.3.4

freeradius2 is working on pfsense 2.0.1 (i386 and amd64)
added GUI to create certificates (CA, Server, Client) for EAP-TLS
extended "view config" tab to view certificate files

Nachtfalke

Updates: pkg 1.3.5

Added some info about dis-/advantages of pfsense cert-manager compared to freeradius-cert editor. pfsense cert-manager should be the first manager to use!
freeradius server is starting with certs and keys (different typs) from pfsense built-in manager but this needs more testing with clients and real NAS
Some small typo fixes in freeradiuseapconf.xml with double entry
Added some checks and renamings on client cert building script (Thanks to marcelloc)

Nachtfalke

Updates: pkg v1.3.6

Added ability to choose between the freeradius cert manager or the pfsense built-in cert manager. (Thank you very much jimp and sullrich)

Nachtfalke

Updates: pkg v1.3.7

Corrected starting parameters of variables for "Settings"
Enabled logging and logging to syslog is now default
DH and RANDOM file will be created new when changing to "pfsense cert-manager". So not everybody will use the same files delivered with the freeradius package.
Adding Custom-Options on TOP and BOTTOM of all other user options
New variables and structur of the "users"-file creation. It was neccessary to add additional custom options on TOP and BOTTOM. User entries from older freeradius2 versions are NOT compatible. You need to add them again. Sorry.
Username can now contain whitespaces
Added Copyright
Added new features to dis-/enable SQL (Instantiate, authorize, accounting, session, post-auth) - we still need to build freeradius2 package with additional modules.

Nachtfalke

Updates: pkg v1.3.8

fixed empty password after installation in default cert (eap)
fixed typo in description (eap)
small change in <custom_php_install_commands>order in freeradius.xml</custom_php_install_commands>
Added radiusd.conf to "view config" tab
fixed "include sql.conf" in (sql/radiusd)
Added some comments in freeradius.inc

sandern

If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)

Nice work so far!

Nachtfalke

@sandern:

If its not much work to implement, beside user authentication, it would be nice to also support mac authentication. (http://wiki.freeradius.org/Mac-Auth)

Nice work so far!

This should work by default as far as I know for now. The CISCO SG300-28 switch for example is sending the MAC address in username and password, all small letters without whitespace.
So you take a look on the user's guide and check the format the MAC address is sent.

If the PCs MAC address is for example:
00:11:AA:BC:DE:FF

Than the username and password in freeradius users should be:
0011aabcdeff

The users file should look like this afterwards:


"0011aabcdeff" Cleartext-Password := "0011aabcdeff"
                       Simultaneous-Use := 1

Please post back if you could try this and if it is working or not.
I am on vacation until 09 january 2012 and do not have the chance to test this all on a real switch and environment.
This is on my "todo" list - to check all features I added just from How-To's in real ;-)

–-- edit ----
This is from the CISCO users guide:

The authentication methods can be:
• 802.1x—The switch supports the authentication mechanism as described in
the standard to authenticate and authorize 802.1x supplicants.

• MAC-based—The switch can be configured to use this mode to
authenticate and authorized devices that do not support 802.1x. The switch
emulates the supplicant role on behalf of the non 802.1x capable devices,
and uses the MAC address of the devices as the username and password
when communicating with the RADIUS servers. MAC addresses for
username and password must be entered in lower case and with no
delimiting characters (for example: aaccbb55ccff). To use MAC-based
authentication at a port:

Nachtfalke

Updates: pkg v1.3.9

small changes in if/else syntax (freeradius.inc)
deleted uneccessary <custom_php_resync_config_command>entries (freeradiuscerts.xml)</custom_php_resync_config_command>
fixed some typos in description and titel (eap, view config)
cosmetic fix: changed order of columns (users)
added XMLRPC Sync for syncing "users" and "NAS / clients" with other hosts. No other parts of freeradius2 config will be synced. The XMLRPC code I use isn't optimized for syncing so much parts like I use them in my package. Syncing more parts will increase the reload time after any change because there are so much dependencies and reloads neccessary.

Special thanks goes to: marcelloc :D
Thank you for allowing me to use the pfblocker-xmlrpc code :)

Nachtfalke

Updates: pkg v1.4.0

improved first start of freeradius service after package installation
fixed double restart of freeradius service (sql)
added some additional output in syslog when creating certs with freeRADIUS Cert-Manager (certs)
added some additional output in syslog when changing TO pfSense Cert-Manager (eap)
added some comments in freeradius.inc for better understanding

Nachtfalke

Updates: pkg v1.4.1

enabled: module "attr_filter" in "pre-proxy" and "post-proxy" section
enabled: module "counter" (daily, weekly, monthly, forever) in "authorize" and "accounting" section
enabled: module "checkval" in "authorize" section
enabled: "with_ntdomain_hack = yes" in module "realm", module "mschap" and virtual-server "default"
enabled: use of more than one realm at one time in module "realm"
fixed: "users" file. we need to handel "check-items" different from "reply-items" (users)
added: support for Microsoft Statement-of-Health (SoH), which is a form of network access protection present in Windows XP SP3, Vista and 7. Enabled virtual-server "soh". (eap)

Nachtfalke

Updates: pkg v1.4.2

Added/Modified: Additional custom options for CHECK-ITEMs and REPLY-ITEMs (users)
fixed: typos in descriptions (users,settings,clients)

There is now a wiki about freeradius2 in the pfSense docs. You are welcome to contribute!
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

marcelloc

I saw some features not compiled for it like:

ActiveDirectory
LDAP
SQL

Do you need help on trying to compile it and find a <build_options>for pkg_config ?</build_options>

Nachtfalke

@marcelloc:

I saw some features not compiled for it like:

ActiveDirectory

LDAP

SQL

Do you need help on trying to compile it and find a <build_options>for pkg_config ?</build_options>

Hi,

yes there are features which are not compiled yet. I posted on dev-mailinglist last year with the build options I need.
Take a look here:
http://lists.pfsense.org/pipermail/dev/2011-December/000100.html


WITH_KERBEROS=yes (I need this for ActiveDirectory I think + samba)
WITH_LDAP=yes
WITH_MYSQL=yes
WITH PGSQL=yes
WITH_EXPERIMENTAL=yes
WITH_PERL=yes (on by default)
WITH_PYTHON=yes (on by default)
WITHOUT_USER=yes (I do not want to chroot and so this feature makes no sense)

I talked with mdima and he pointed me to the ports and the available build options I posted on dev-list.

If you could help it would be great, of course :-)

marcelloc

there is a field in pkg_info for compile options:


.
.
.
<build_port_path>/usr/ports/mail/postfix</build_port_path>
<build_options>WITH_PCRE=true WITH_SPF=true WITH_SASL2=true WITH_TLS=true</build_options>

The best way before editing pkg_config is:

build a virtual machine with freebsd 8.1
update freebsd to get current version using freebsd-update
fetch ports with portsnap fetch && portsnap extract
build freeradius with selected options
make freeradius and dependecies packages
install this package on pfsense(lab)
If nothing is break after that, include <build_options>to pkg_config</build_options>

Not that simple but not that hard. ;)

I'll compile freeradius with these options and feedback.

Nachtfalke

What should I place in:

<depends_on_package_base_url></depends_on_package_base_url>

I builded freeradius2 from ports with my actual PC-BSD 8.2 but just installed it on PC-BSD vm.
What is the command for:
make freeradius and dependecies packages
so that I can copy the package to pfsense and install/extract it there?

And for "pkg_config.8.xml.amd64" and "pkg_config.8.xml" I though I would be the best if I temporarily create a second entry - but I first have to do the steps before :D

PS: Building with custom build options - is this done by someone of the pfsense team or automaticly by the system ?

Thanks for your help! :D

marcelloc

@Nachtfalke:

What should I place in:

<depends_on_package_base_url></depends_on_package_base_url>

the url folder that packages are, generally files.pfsense.org/path_to_packages

@Nachtfalke:

I builded freeradius2 from ports with my actual PC-BSD 8.2 but just installed it on PC-BSD vm.
What is the command for:

It will break some dependencies on freebsd 8.1

@Nachtfalke:

make freeradius and dependecies packages
so that I can copy the package to pfsense and install/extract it there?

make package is the cmd you call on freeradius port folder to make package ;)

@Nachtfalke:

And for "pkg_config.8.xml.amd64" and "pkg_config.8.xml" I though I would be the best if I temporarily create a second entry - but I first have to do the steps before :D

sure. :D

@Nachtfalke:

PS: Building with custom build options - is this done by someone of the pfsense team or automaticly by the system ?

Yes, Ermal has a every day build script for packages, take a look on build date of packages in files.pfsense.org.

It's really nice, I got close but stopped in read xml build options and dependencies options to schedule it via cron.

I did not included experimental buid option as it enables all experimental modules including oracle, what would be not so good to compile

still building on x64 and for now dependencies are:

gmddb
krb5
tetex

att,

Marcello Coutinho

Nachtfalke

Ok,
I will go to bed now. It's 1am.

I will download PC-BSD 8.1 which I know is easy to install and then try to create my first package :D

I catched this information…I hope it will be correct ;-)


ports/devel/autoconf/
ports/devel/autoconf-wrapper/
ports/databases/gdbm/
ports/devel/gettext/
ports/devel/gmake/
ports/converters/libiconv/
ports/devel/libltdl/
ports/devel/libtool/
ports/devel/m4/
ports/lang/perl5.12/
ports/lang/python27/

<build_options>WITH_KERBEROS = yes WITH_LDAP = yes WITH_MYSQL = yes WITH_PGSQL = yes WITH_PERL = yes WITH_PYTHON = yes</build_options>

Bye!

marcelloc

ports/devel/autoconf/
ports/devel/autoconf-wrapper/
ports/databases/gdbm/
ports/devel/gettext/
ports/devel/gmake/
ports/converters/libiconv/
ports/devel/libltdl/
ports/devel/libtool/
ports/devel/m4/
ports/lang/perl5.12/
ports/lang/python27/

These are basic config dependencies, ~~I'm checking what dependencies includes ghostscripts and X11 which is not good for a firewall.~~

EDIT

I've changed kerberos dependencies do a much less dependencies from heimdal-1.4_1 then krb5

heimdal-1.4_1

Requires: autoconf-2.68, autoconf-wrapper-20101119, gettext-0.18.1.1, libiconv-1.13.1_1, libtool-2.4_1, m4-1.4.16,1, perl-5.12.4_3, pkg-config-0.25_1

krb5-1.9.2_1


Requires: cups-client-1.5.0, cups-image-1.5.0, dvipsk-tetex-5.95a_5, expat-2.0.1_2, font-amsfonts-3.02_1, fontconfig-2.8.0_1,1, freetype2-2.4.7, gd-2.0.35_7,1, gettext-0.18.1.1, ghostscript9-9.02_4, gmake-3.82, gsfonts-8.11_5, jasper-1.900.1_10, jbig2dec-0.11, jbigkit-1.6, jpeg-8_3, kbproto-1.0.5, libICE-1.0.7,1, libSM-1.2.0,1, libX11-1.4.4,1, libXau-1.0.6, libXaw-1.0.8,1, libXdmcp-1.1.0, libXext-1.3.0_1,1, libXmu-1.1.0,1, libXp-1.0.1,1, libXpm-3.5.9, libXt-1.0.9, libiconv-1.13.1_1, libpthread-stubs-0.3_3, libtool-2.4_1, libwww-5.4.0_4, libxcb-1.7, m4-1.4.16,1, perl-5.12.4_3, pkg-config-0.25_1, png-1.4.8, printproto-1.0.5, t1lib-5.1.2_1,1, teTeX-base-3.0_22, teTeX-texmf-3.0_8, tex-texmflocal-1.9, texi2html-1.82,1, texinfo-4.13.20110529_1, tiff-4.0.0_3, xextproto-7.2.0, xproto-7.0.22

marcelloc

No success :(

freeradius2 with heimdal-1.4_1 returns erros while compiling

gmake[6]: Entering directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules/rlm_krb5'
/usr/local/bin/libtool --mode=compile cc  -O2 -pipe -I/usr/local/include -L/usr/local/lib -DLDAP_DEPRECATED -fno-strict-aliasing -Wall -D_GNU_SOURCE -pthread -DNDEBUG -I/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src  -DHEIMDAL_KRB5  -I/usr/local/include -I/usr/include/et -DKRB5_DEPRECATED -c rlm_krb5.c
libtool: compile:  cc -O2 -pipe -I/usr/local/include -L/usr/local/lib -DLDAP_DEPRECATED -fno-strict-aliasing -Wall -D_GNU_SOURCE -pthread -DNDEBUG -I/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src -DHEIMDAL_KRB5 -I/usr/local/include -I/usr/include/et -DKRB5_DEPRECATED -c rlm_krb5.c  -fPIC -DPIC -o .libs/rlm_krb5.o
In file included from /usr/local/include/krb5.h:846,
                 from rlm_krb5.c:32:
/usr/local/include/krb5-protos.h:41: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:49: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:402: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:486: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:634: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:843: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:908: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1007: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1281: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1289: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1297: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1305: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1313: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1321: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1329: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1337: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1600: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1608: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1616: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1624: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1632: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1640: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1648: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1656: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1741: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1844: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1854: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1874: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1919: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1952: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1975: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:1983: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2083: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2127: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2142: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2157: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2169: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2181: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2223: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2229: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2607: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2615: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2622: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:2629: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:3144: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:3178: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:3183: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:3734: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:4091: error: expected identifier or '(' before numeric constant
/usr/local/include/krb5-protos.h:4378: error: expected identifier or '(' before numeric constant
gmake[6]: *** [rlm_krb5.lo] Error 1
gmake[6]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules/rlm_krb5'
gmake[5]: *** [rlm_krb5] Error 2
gmake[5]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules'
gmake[4]: *** [all] Error 2
gmake[4]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src/modules'
gmake[3]: *** [modules] Error 2
gmake[3]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12/src'
gmake[1]: *** [src] Error 2
gmake[1]: Leaving directory `/usr/ports/net/freeradius2/work/freeradius-server-2.1.12'
gmake: *** [all] Error 2
*** Error code 1

Stop in /usr/ports/net/freeradius2.
*** Error code 1

I'll try again tomorrow.

marcelloc

well, with krb5 compiled without thousand of deps ???

can you try this package features on lab with x64 pfsense?

x64
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/freeradius-2.1.12.tbz

Nachtfalke

@marcelloc:

well, with krb5 compiled without thousand of deps ???

can you try this package features on lab with x64 pfsense?

x64
pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/freeradius-2.1.12.tbz

I did this on a fresh 2.0.1 x64 vm:

[2.0.1-RELEASE][admin@pfsense.localdomain]/root(3): pkg_info
bsdinstaller-2.0.2011.0913 BSD Installer mega-package
gettext-0.18.1.1    GNU gettext package
libiconv-1.13.1_1   A character set conversion library
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(4): pkg_add -r http://e-sac.siteseguro.ws/packages/amd64/8/All/freeradius-2.1.12.tbz
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/freeradius-2.1.12.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/krb5-1.9.2_1.tbz... Done.
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/python27-2.7.2_3.tbz... Done.

====
Note that some of the standard modules are provided as separate
ports since they require extra dependencies:

bsddb           databases/py-bsddb
gdbm            databases/py-gdbm
sqlite3         databases/py-sqlite3
tkinter         x11-toolkits/py-tkinter

Install them as needed.
====

Error: Unable to get http://e-sac.siteseguro.ws/packages/amd64/8/All/perl-5.12.4_3.tbz: Not Found
Fetching http://e-sac.siteseguro.ws/packages/amd64/8/All/libltdl-2.4_1.tbz... Done.
Error: Unable to get http://e-sac.siteseguro.ws/packages/amd64/8/All/gdbm-1.9.1.tbz: Not Found
===> Setting user and group in radiusd.conf
===> Creating users and/or groups.
Creating group 'freeradius' with gid '133'.
Creating user 'freeradius' with uid '133'.
===> Bootstrapping default certificates, please wait...
===> Adjusting ownership of directory /usr/local/etc/raddb
===> Adjusting ownership of directory /var/log/radacct
===> Adjusting ownership of directory /var/run/radiusd
===> Adjusting ownership of /var/log/radius.log
===> Adjusting ownership of /var/log/radutmp
===> Adjusting ownership of /var/log/radwtmp
===> Updating libdir in /usr/local/etc/raddb/radiusd.conf
pkg_add: can't open dependency file '/var/db/pkg/perl-5.12.4_3/+REQUIRED_BY'!
dependency registration is incomplete
pkg_add: can't open dependency file '/var/db/pkg/gdbm-1.9.1/+REQUIRED_BY'!
dependency registration is incomplete

===============================================================================

To enable FreeRADIUS, put the following line in /etc/rc.conf

radiusd_enable="YES"

The sample configuration can be found at
/usr/local/share/examples/freeradius/raddb

If you are upgrading FreeRADIUS, you are advised to use this as a reference
for updating your configuration.

FreeRADIUS will look for its configuration directory at
/usr/local/etc/raddb by default.

If you did not already have a configuration at this location, the sample
configuration has been copied to this location and has been bootstrapped.

If you wish to point FreeRADIUS to a configuration at a different
location, put the following line in /etc/rc.conf

radiusd_flags="-d /path/to/raddb"

To start the server in normal (daemon) mode, run:

/usr/local/etc/rc.d/radiusd start

and to stop the server, run:

/usr/local/etc/rc.d/radiusd stop

To start the server in debugging mode, run:

/usr/local/etc/rc.d/radiusd debug

You are advised to make cautious changes to the configuration, and to test
frequently, using debugging mode where necessary. Try to resist the
temptation to disable or delete things that you don't understand - you may
well break things!

The documentation has been installed at /usr/local/share/doc/freeradius

Useful configuration advice can be found in the FreeRADIUS Wiki at
http://wiki.freeradius.org

===============================================================================

The only two errors I could see are:

Error: Unable to get http://e-sac.siteseguro.ws/packages/amd64/8/All/perl-5.12.4_3.tbz: Not Found
Error: Unable to get http://e-sac.siteseguro.ws/packages/amd64/8/All/gdbm-1.9.1.tbz: Not Found

Just tried to start it an is runs:

[2.0.1-RELEASE][admin@pfsense.localdomain]/root(6): /usr/local/etc/rc.d/radiusd onestart
Starting radiusd.
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(7): /usr/local/etc/rc.d/radiusd onestatus
radiusd is running as pid 28705.
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(8): ps -ax | grep radiusd
28705  ??  Ss     0:00.00 /usr/local/sbin/radiusd
[2.0.1-RELEASE][admin@pfsense.localdomain]/root(9): ps -auwx | grep radiusd
freeradius 28705  0.0  0.6 43020  6180  ??  Is    1:48AM   0:00.00 /usr/local/sbin/radiusd

I did a "ldd rlm_krb5.so":

[2.0.1-RELEASE][admin@pfsense.localdomain]/usr/local/lib/freeradius-2.1.12(8): ldd rlm_krb5.so
rlm_krb5.so:
        libfreeradius-radius-2.1.12.so => /usr/local/lib/freeradius-2.1.12/libfreeradius-radius-2.1.12.so (0x800c00000)
        libkrb5.so => /usr/local/lib/libkrb5.so (0x800d21000)
        libcom_err.so => /usr/lib/libcom_err.so (0x800eef000)
        libk5crypto.so => /usr/local/lib/libk5crypto.so (0x800ff1000)
        libthr.so.3 => /lib/libthr.so.3 (0x80111b000)
        libc.so.7 => /lib/libc.so.7 (0x800646000)
        libkrb5support.so => /usr/local/lib/libkrb5support.so (0x801233000)

And this for ldap, mysql and pgsql:

[2.0.1-RELEASE][admin@pfsense.localdomain]/usr/local/lib/freeradius-2.1.12(10): ldd rlm_sql_postgresql-2.1.12.so
rlm_sql_postgresql-2.1.12.so:
        libpq.so.5 => not found (0x0)
        libthr.so.3 => /lib/libthr.so.3 (0x800c00000)
        libc.so.7 => /lib/libc.so.7 (0x800646000)
[2.0.1-RELEASE][admin@pfsense.localdomain]/usr/local/lib/freeradius-2.1.12(11): ldd rlm_sql_mysql.so
rlm_sql_mysql.so:
        libmysqlclient.so.18 => not found (0x0)
        libz.so.5 => /lib/libz.so.5 (0x800c00000)
        libm.so.5 => /lib/libm.so.5 (0x800d15000)
        libthr.so.3 => /lib/libthr.so.3 (0x800e34000)
        libc.so.7 => /lib/libc.so.7 (0x800646000)
[2.0.1-RELEASE][admin@pfsense.localdomain]/usr/local/lib/freeradius-2.1.12(12): ldd rlm_ldap.so
rlm_ldap.so:
        libfreeradius-radius-2.1.12.so => /usr/local/lib/freeradius-2.1.12/libfreeradius-radius-2.1.12.so (0x800c00000)
        libldap_r-2.4.so.8 => not found (0x0)
        liblber-2.4.so.8 => /usr/local/lib/liblber-2.4.so.8 (0x800d21000)
        libsasl2.so.2 => not found (0x0)
        libssl.so.6 => /usr/lib/libssl.so.6 (0x800e2e000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x800f80000)
        libthr.so.3 => /lib/libthr.so.3 (0x80121a000)
        libc.so.7 => /lib/libc.so.7 (0x800646000)

marcelloc

I've just uploaded missing packages, can you try again?

Maybe it's better removing freeradius packages first