NEW Package: freeRADIUS 2.x

z3r0tech

@Nachtfalke:

I have some different VMs with 2.0.1 x86/x64 installs and pfsense 2.1 installs.
I can install the package on all machines from the GUI.

The parameter which indicates the version is the same as for lets say squid2 or squidguard:

<required_version>2.0</required_version>

But I am not sure where the check is for the different installation types like CD, nanobsd and embedded :(

Can you try another .iso image from another mirror ?

the url is invalid i found it here https://redmine.pfsense.org/issues/2075
https://redmine.pfsense.org/projects/pfsense/repository/revisions/c70452506a0ab84a9d72547656b516f6e61578da
i don't know how to apply the diff this is the fix…

Nachtfalke

That's not the problem why you do not get freeradius in packagemanager GUI.

If you want to use pkg_add -r then just use the complete path to pfsense server.

x86:
pkg_add -r http://files.pfsense.org/packages/8/All/freeradius-2.1.12_1.tbz

x64:
pkg_add -r http://files.pfsense.org/packages/amd64/8/All/freeradius-2.1.12_1.tbz

z3r0tech

@Nachtfalke:

That's not the problem why you do not get freeradius in packagemanager GUI.

If you want to use pkg_add -r then just use the complete path to pfsense server.

x86:
pkg_add -r http://files.pfsense.org/packages/8/All/freeradius-2.1.12_1.tbz

x64:
pkg_add -r http://files.pfsense.org/packages/amd64/8/All/freeradius-2.1.12_1.tbz

thanks! it's working now…

i tried this post to install the gui: http://forum.pfsense.org/index.php?topic=50572.0
Fatal error: Call to undefined function freeradius_install_command() in /usr/local/www/exec.php(244) : eval()'d code on line 9

any solutions?

basterik

hi all! culd any one help me to config xmlrpc sync?  i print gui ip adress, password, but sync does't done

stupots

Hello,

Just tried this package for the first time today and it's great!  There's just one minor problem that I would need to solve before I could use this in production.  Unfortunately, I'm not a programmer, so wouldn't know where to begin…

What I would like is to have a check box that lets me enter the plaintext password for the user, but encrypts it in the /usr/local/etc/raddb/users file because otherwise any admin can view the plaintext password.  To get around this on my existing Linux FreeRADIUS server, I have a small perl script as follows:

#! /usr/bin/perl -w
use strict;
use Digest::MD5;
use MIME::Base64;
unless($ARGV[0]){
 print "Please supply a password to create a MD5 hash from.\n";
 exit;
}
my $ctx = Digest::MD5->new;
$ctx->add($ARGV[0]);
print encode_base64($ctx->digest,'')."\n";

So, at the command line, to generate the MD5 password hash:

radius:~ # /root/md5pass.pl <chosen password="">
X03MO1qnZdYdgyfeuILPmQ==</chosen>

Then to use this in my users file I would use the following:

"stuart"   MD5-Password := "X03MO1qnZdYdgyfeuILPmQ=="

Anyone have any thoughts on this?

Thanks,
Stuart

z3r0tech

i found out the solution…

ok to everyone that has no freeradius2 on their package list here's the simple fix...
execute this > ./package.sh off

Nachtfalke

@basterik:

hi all! culd any one help me to config xmlrpc sync?  i print gui ip adress, password, but sync does't done

Could you please explain more in detail whats your problem ?

You have freeradius-server-A and freeradius-server-B
You want to sync from A to B
On A Enable "Automatically sync freeRADIUS configuration changes?"
On A enter the protocol, the IP, the port of B
Enable the "Enable" checkbox in front of this line.
Save

That's it.

Nachtfalke

@stupots:

Hello,

Just tried this package for the first time today and it's great!  There's just one minor problem that I would need to solve before I could use this in production.  Unfortunately, I'm not a programmer, so wouldn't know where to begin…

What I would like is to have a check box that lets me enter the plaintext password for the user, but encrypts it in the /usr/local/etc/raddb/users file because otherwise any admin can view the plaintext password.  To get around this on my existing Linux FreeRADIUS server, I have a small perl script as follows:

#! /usr/bin/perl -w
use strict;
use Digest::MD5;
use MIME::Base64;
unless($ARGV[0]){
 print "Please supply a password to create a MD5 hash from.\n";
 exit;
}
my $ctx = Digest::MD5->new;
$ctx->add($ARGV[0]);
print encode_base64($ctx->digest,'')."\n";

So, at the command line, to generate the MD5 password hash:

radius:~ # /root/md5pass.pl <chosen password="">
X03MO1qnZdYdgyfeuILPmQ==</chosen>

Then to use this in my users file I would use the following:

"stuart"   MD5-Password := "X03MO1qnZdYdgyfeuILPmQ=="

Anyone have any thoughts on this?

Thanks,
Stuart

I attached you two files. Replace them with the existing ones in /usr/local/pkg

I used example one on this page. Try if it is ok or if there is something to be changed:
http://php.net/manual/en/function.md5.php

If you want to check the code edit freeradius.inc and watch lines 394-402

–- edit ---
it seems that we do not just need a md5 encoding but after that a base64 encoding of the md5 hash. Could you please try your cript with a password and post your password here and the according hash for that ? So we could do some more tests.
or someone could explain what is done in this perl script ;o)

freeradius.inc.txt
freeradius.xml.txt

Nachtfalke

@z3r0tech:

i found out the solution…

ok to everyone that has no freeradius2 on their package list here's the simple fix...
execute this > ./package.sh off

Thank you for your feedback. It would be interesting why this is needed on some .iso images and not on others.
But it is nice to hear that it is working for you now :)

basterik

@Nachtfalke:

Could you please explain more in detail whats your problem ?

You have freeradius-server-A and freeradius-server-B
You want to sync from A to B
On A Enable "Automatically sync freeRADIUS configuration changes?"
On A enter the protocol, the IP, the port of B
Enable the "Enable" checkbox in front of this line.
Save

That's it.

yes, i do all this step and allow all trafic in firewall rule, but server don't sync, in log type:

nov 13 09:42:11 php: /pkg.php: FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout seconds.
nov 13 09:42:11 php: /pkg.php: FreeRADIUS: XMLRPC Sync with x.x.x.x has incomplete credentials. No XMLRPC Sync done!
nov 13 09:42:11 php: /pkg.php: FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync).

Nachtfalke

XMLRPC Sync with x.x.x.x has incomplete credentials

Perhaps you are using some special characters in your password which are not allowed.
Can you try a simple password like "password123" and then try again ?

It MUST be the password for the "admin" account of pfsense. no other account will work.

stupots

Hi,

Thanks for your very speedy reply.  I'll try the attached files later today.

I attached you two files. Replace them with the existing ones in /usr/local/pkg

I used example one on this page. Try if it is ok or if there is something to be changed:
http://php.net/manual/en/function.md5.php

If you want to check the code edit freeradius.inc and watch lines 394-402

–- edit ---
it seems that we do not just need a md5 encoding but after that a base64 encoding of the md5 hash. Could you please try your cript with a password and post your password here and the according hash for that ? So we could do some more tests.
or someone could explain what is done in this perl script ;o)

For info, I implemented strong passwords on my Linux FreeRADIUS server based on info I found here:

http://www.packtpub.com/article/freeradius-authentication-storing-passwords

To be honest, it doesn't need to be an MD5 password but that's just the first thing I tried that worked.  I was in a hurry yesterday when I posted - what I meant by "check box" was in the user creation tab, have a check box marked "encrypt password" and if selected, hash using MD5 or some other workable way.

If MD5 is the preferred option, then here are some sample hashes for you:

radius:~ # ./md5pass.pl hello
XUFAKrxLKna5cZ2REBfFkg==
radius:~ # ./md5pass.pl pfsense
OktMTd5JTSzsPg6mjkN+Fw==
radius:~ # ./md5pass.pl qwertyuiop
buqbfvGReaBpVO3Q9sBc6w==

Thanks,
Stuart

basterik

@Nachtfalke:

XMLRPC Sync with x.x.x.x has incomplete credentials

Perhaps you are using some special characters in your password which are not allowed.
Can you try a simple password like "password123" and then try again ?

It MUST be the password for the "admin" account of pfsense. no other account will work.

i using this config and i set admin password "123456", but server don't sync, I can't mistake, I set firewall that he logging packets between server, but I do not see any packet

Nachtfalke

@basterik:

@Nachtfalke:

XMLRPC Sync with x.x.x.x has incomplete credentials

Perhaps you are using some special characters in your password which are not allowed.
Can you try a simple password like "password123" and then try again ?

It MUST be the password for the "admin" account of pfsense. no other account will work.

i using this config and i set admin password "123456", but server don't sync, I can't mistake, I set firewall that he logging packets between server, but I do not see any packet

Strange. Are both systems using the same protocol and the same port ?
Can you try to set both to http and port 80.

But in general it works for me with different ports and protocols and some other users are using this, too.

Nachtfalke

@stupots:

Hi,

Thanks for your very speedy reply.  I'll try the attached files later today.

I attached you two files. Replace them with the existing ones in /usr/local/pkg

I used example one on this page. Try if it is ok or if there is something to be changed:
http://php.net/manual/en/function.md5.php

If you want to check the code edit freeradius.inc and watch lines 394-402

–- edit ---
it seems that we do not just need a md5 encoding but after that a base64 encoding of the md5 hash. Could you please try your cript with a password and post your password here and the according hash for that ? So we could do some more tests.
or someone could explain what is done in this perl script ;o)

For info, I implemented strong passwords on my Linux FreeRADIUS server based on info I found here:

http://www.packtpub.com/article/freeradius-authentication-storing-passwords

To be honest, it doesn't need to be an MD5 password but that's just the first thing I tried that worked.  I was in a hurry yesterday when I posted - what I meant by "check box" was in the user creation tab, have a check box marked "encrypt password" and if selected, hash using MD5 or some other workable way.

If MD5 is the preferred option, then here are some sample hashes for you:

radius:~ # ./md5pass.pl hello
XUFAKrxLKna5cZ2REBfFkg==
radius:~ # ./md5pass.pl pfsense
OktMTd5JTSzsPg6mjkN+Fw==
radius:~ # ./md5pass.pl qwertyuiop
buqbfvGReaBpVO3Q9sBc6w==

Thanks,
Stuart

Hi Stuart,

I think I got it. Then enconding in php is different than in perl but this hint gave me the reason:

If the optional raw_output is set to TRUE, then the md5 digest is instead returned in raw binary format with a length of 16\. 

I attached the new freeradius.inc file. Try it again with that file, check if the passwords/hashes are correct and please try if it is really working/authentication.

freeradius.inc.txt

red2006

hello everyone…

im new to pfsense and im interested in implementing this to our school.

ive been reading the whole thread of this topic.

one thing caught my eyes and mind is the topic of @zlyzwy and @Nachtfalke about the SQL feature of freeradius

ive tried the ones posted by @zlyzwy on how to have a database table schema for the user authentication of captive portal

i used an external database server with XAMPP server running...
i created the database on the xampp server with the table schema's posted by @zlyzwy

i reconfigured the freeradius SQL, NAS/Clients, Interface and Captive Portal to redirect to the external database server...

but unfortunately, when i tried testing to connect to the external DB server radtest always gives me the no response from server message.
what could be the problem and why?

the normal CP + freeradius2 configuration with the user entry on freeradius works fine for me but i want to add 2,500 user accts and have a separate webGUI to process,add,delete users on the users table.

if @zlyzwy can only post again on how to populate the table and what tables on the table schema's that he posted should be populated for the user accts and how to connect it to an external db server.

i hope i hear soon from @zlyzwy and @Nachtfalke or anyone who could help me on this inquiry, thank you very much for this topic.

Nachtfalke

Can you run freeradius in debug mode and try again.
Configure everything on GUI, save and the stop the radiusd service on the GUI.

after that go to the pfsense console and type:

radiusd -X

Then try to authenticate a user and check the output of freeradius. It probably tells you what you have to do or what is not correct.

Or perhaps you are using a password which is using special characters which are not allowed. Try a simple password first.
Or the firewall rules on the xampp server do not allow traffic from pfsense - check this and disable all firewall rules.

red2006

Thank you very much for a fast reply on my inquiry.

i tried stopping the radius service on GUI and on console,
but i get the FAILED to connect to any sql server message of radiusd -X syntax.

attached are my configurations for

SQL in freeradius

Captive Portal

security setting on my xampp server

and the error message on the radiusd -X

maybe i miss something on the configuration but i just followed the instructions on this thread

Thank you very very much…

Nachtfalke

Hi,

your CP configuration looks wired. The authentication port for radius is 3306 - which is your sql port !? This looks strange.

To make clear the way how freeradius is working:

Freeradius has a listening port for authentication and if you need an accounting port
You must configure the ports on the "interfaces" tab of freeradius
The CP must connect to the listening ports of freeradius.

CP does not connect directly to the mysql database - it connects to freeradius and freeradius decides if to send the request to mysql or somewhere else.

In general the authentication port for freeradius is 1812 and the accounting port is 1813
and these two ports are important for the CP.

red2006

hello Nachtfalke,

and thank you very much for your patience…

i change my port on my captive portal config to 1812

but still same error appears on radiusd -X on console

rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@192.168.1.7:3306/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql_mysql: Couldn't connect socket to MySQL server radius@192.168.1.7:radius
rlm_sql_mysql: Mysql error 'Can't connect to MySQL server on '192.168.1.7' (60)'
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Failed to load clients from SQL.
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
/usr/local/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[185]: Failed to load module "sql".
/usr/local/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
/usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.

i attached my

nas/clients configuration here

and my interfaces configuration.

thank you very much for your patience Nachtfalke.

-red