NEW Package: freeRADIUS 2.x
-
Please start freeradius from console in debug mode. type:
radiusd -X
and the post the complete output. I am sure the error is somewhere else.
-
Here is the output:
http://paste.pcspinnt.de/pastebin.php?show=m72943fe0
May be it's a bug. I'm using the newest freeradius2 package (Beta 1.1.8 pkg v1.0.5 platform: 2.0)
-
Here is the output:
http://paste.pcspinnt.de/pastebin.php?show=m72943fe0
May be it's a bug. I'm using the newest freeradius2 package (Beta 1.1.8 pkg v1.0.5 platform: 2.0)
You mixed up things. there are two different freeradius packages.
freeradius and freeradius2. They are both not compatible. Which version do you use and which version do you want to use ?This is the thread for freeradius2 package.
-
Sorry, wrong paste. Now the right one:
RC1
2.1.12_1 pkg v1.6.6_4
platform: 2.0 -
Ok, no problem.
In checked your radiusd -X output and could not found a problem.
I checked the installed packages on my system with
pkg_info
and I found
gdbm-1.9.1
Make sure that you have this on your pfsense - I am not absolutly sure but I think this comes with pfsense by default.
You can try to add it with:
amd64pkg_add -r http://files.pfsense.org/packages/amd64/8/All/gdbm-1.9.1.tbz
i386:
pkg_add -r http://files.pfsense.org/packages/8/All/gdbm-1.9.1.tbz
-
Ui, i've an older version:
gdbm-1.8.3_3 The GNU database manager
Will install the new one. May be this works.
EDIT:
pkg_delete gdbm-1.8.3_3
pkg_delete: file '/usr/local/man/man3/gdbm.3.gz' doesn't exist
pkg_delete: file '/usr/local/include/gdbm.h' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.a' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.la' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.so' doesn't exist
pkg_delete: file '/usr/local/info/gdbm.info' doesn't exist
pkg_delete: couldn't entirely delete package (perhaps the packing list is
incorrectly specified?)EDIT2:
@#$! >:(
Same error:
gdbm fatal: read error
-
Don't know why.
Can you reinstall pfsense - backup the config before you do that.
-
No, can't do that. It's big machine with several interfaces and many active VPN connections. No further idea?
EDIT:
Ok, i think i found a bug. Did a few test and commented out some lines. Now, i can start the radiusd.
Here is what i commented out.
@radiusd.conf:
…
instantiate {exec
expr
#daily
#weekly
#monthly
#forever
expiration
logintime
### Dis-/Enable sql instatiate
#sql
}
…@sites-available/default:
…
# The ldap module will set Auth-Type to LDAP if it has not
# already been set### ldap ###
#
# Enforce daily limits on time spent logged in.
#daily
#weekly
#monthly
#forever#
# Use the checkval module
…
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
#daily
#weekly
#monthly
#forever
…Further informations will follow.
EDIT2:
Ok, looks like a big bug. Copied my old configuration and commented out this lines. Now everything works. Can anybody explain me these settings?
-
I've written to patches for these files:
--- /usr/local/etc/raddb/sites-available/default 2012-12-12 07:50:48.000000000 +0100 +++ default 2012-12-12 07:39:34.000000000 +0100 @@ -197,10 +197,10 @@ # # Enforce daily limits on time spent logged in.[color][/color] - daily - weekly - monthly - forever + #daily + #weekly + #monthly + #forever # # Use the checkval module @@ -400,10 +400,10 @@ # Note that accounting requests which are proxied # are also logged in the detail file. detail - daily - weekly - monthly - forever + #daily + #weekly + #monthly + #forever ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
--- /usr/local/etc/raddb/radiusd.conf 2012-12-12 07:49:27.000000000 +0100 +++ radiusd.conf 2012-12-12 07:38:03.000000000 +0100 @@ -87,10 +87,10 @@ exec expr - daily - weekly - monthly - forever + #daily + #weekly + #monthly + #forever expiration logintime ### Dis-/Enable sql instatiate
These two patches are applied via crontab every night. I know this is just a workaround.
-
It's not a bug. You have a missing config file on your system.
You should have a file called "counter" here:usr/local/etc/raddb/modules/
This is for granting time based access.
The function on freeradius.inc is called:freeradius_modulescounter_resync()
You will find it on line 2611.
And the initial configuration on line 112 and the following.
-
Ah ok, i remember this file. But it's there:
-rw-r----- 1 root wheel 3.6K Dec 7 13:27 /usr/local/etc/raddb/modules/counter
Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679
-
Ah ok, i remember this file. But it's there:
-rw-r----- 1 root wheel 3.6K Dec 7 13:27 /usr/local/etc/raddb/modules/counter
Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679
Ok, then the problem isn't freeradius but some missing files on your pfsense. missing packages like gdbm or something else.
That's why I said - backup the pfsense config, reinstall pfsense and restore config. this will reinstall all packages and restore all config.If this isn't the way you want to go - then you can modify the freeradius.inc file and uncomment the lines you posted.
Uncomment them on line 349 and 1596. Then you do not need any cron script. -
Hi there!
Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.With freeradius is working, but I cannot set bandwith limits… :(
With freeradius2 isn't communicating... :(any ideas? :)
Thanks in advance... :(
-
Hi there!
Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.With freeradius is working, but I cannot set bandwith limits… :(
With freeradius2 isn't communicating... :(any ideas? :)
Thanks in advance... :(
Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".Enable logging on freeradius2 to see what is happening on syslog.
-
Hi there!
Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.With freeradius is working, but I cannot set bandwith limits… :(
With freeradius2 isn't communicating... :(any ideas? :)
Thanks in advance... :(
Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".Enable logging on freeradius2 to see what is happening on syslog.
hmmm…
Status: Services
radiusd FreeRADIUS Server StoppedBut I do not know why.... ???
I've checkd the log (all of /var/log) but nothing find why...
MikroTik log say:
timeot...Now I know why :-)
Where can I see why can't start service?
-
(…)
Where can I see why can't start service?Go to pfsense console and run freeradius in debug mode. You can do this with that command:
radiusd -X
The output will tell you what is missing/going wrong. If you have questions then please post the complete output you got.
-
In general you should create your CA ander server cert on pfsene Cert Manager.
then select these two certificates on freeradius -> EAP and save.Client certificates can be build on pfsense Cert Manager and export the .p12 file. This should work and the .p12 file should be without any password. can you try with an empty password ? But this is more a "pfsense" problem than a freeradius problem.
I am not sure but if I remember correct there was another thread here in the forum which is about the .p12 file and a password. Perhaps the search function can help you.
Thanks for the answer.
My Certificate Authority and certificate was created in pfsense Cert manager. I just created .pfx with openssl.
In first time i try with an empty password and second time with a password "pfsense" but exactly the same result.I use pfsense 2.0.1 AMD release.
Myke.
Did anyone get this working? I came across this relatively fresh posting because I ran into the same problem (didn't I? Maybe someone spots a difference below)
_I created a root-CA and a CA in pfSense cert-manager and created a server-cert and client-cert for EAP-TLS only. In Services->FreeRadius->EAP->CERTIFICATES FOR TLS I choose the CA, server-cert and client-cert. I checked "Create client.p12 for export" and saved.
When I download the .p12 file from /usr/local/etc/raddb/certs/client_cert.p12 or using the cert-manager I get asked for a password when trying to install them on OSX or iOS …_
Thanks a lot!!
Sascha -
By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty. (Default: whatever)
In general you should leave this password field on freeradius –> EAP empty. If it is the default one it is whatever
If the password field was empty then the password on this .p12 file is not freeradius related but pfsense cert manager related.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS
-
This is exactly what I thought. That is why I am so surprised that it does not seem to work…
I left the password in EAP empty, but the .p12 ist protected.I also tried "whatever" but it didn't work. I tried all other passwords I used in this context, but also not the correct ones.
Is it possible to create the client .p12 on the Shell (not meaning the FreeRADIUS script)? Isn't it "simply" a cert created from my CA - in a special format? I am not that deep into this topic :-/
BTW: Initially I thought every User would identify himself using a personal cert. Is this a wrong assumption or just not implemented in the FreeRADIUS packages GUI? ... Or did I only miss it there?
Kind regards,
Sascha -
Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:
$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt
It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.
Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":
If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)
I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?
Maybe I'll find out soon, maybe not :-) I'll keep trying!
Kind regards,
Sascha