NEW Package: freeRADIUS 2.x
-
Ok, no problem.
In checked your radiusd -X output and could not found a problem.
I checked the installed packages on my system with
pkg_info
and I found
gdbm-1.9.1
Make sure that you have this on your pfsense - I am not absolutly sure but I think this comes with pfsense by default.
You can try to add it with:
amd64pkg_add -r http://files.pfsense.org/packages/amd64/8/All/gdbm-1.9.1.tbz
i386:
pkg_add -r http://files.pfsense.org/packages/8/All/gdbm-1.9.1.tbz
-
Ui, i've an older version:
gdbm-1.8.3_3 The GNU database manager
Will install the new one. May be this works.
EDIT:
pkg_delete gdbm-1.8.3_3
pkg_delete: file '/usr/local/man/man3/gdbm.3.gz' doesn't exist
pkg_delete: file '/usr/local/include/gdbm.h' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.a' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.la' doesn't exist
pkg_delete: file '/usr/local/lib/libgdbm.so' doesn't exist
pkg_delete: file '/usr/local/info/gdbm.info' doesn't exist
pkg_delete: couldn't entirely delete package (perhaps the packing list is
incorrectly specified?)EDIT2:
@#$! >:(
Same error:
gdbm fatal: read error
-
Don't know why.
Can you reinstall pfsense - backup the config before you do that.
-
No, can't do that. It's big machine with several interfaces and many active VPN connections. No further idea?
EDIT:
Ok, i think i found a bug. Did a few test and commented out some lines. Now, i can start the radiusd.
Here is what i commented out.
@radiusd.conf:
…
instantiate {exec
expr
#daily
#weekly
#monthly
#forever
expiration
logintime
### Dis-/Enable sql instatiate
#sql
}
…@sites-available/default:
…
# The ldap module will set Auth-Type to LDAP if it has not
# already been set### ldap ###
#
# Enforce daily limits on time spent logged in.
#daily
#weekly
#monthly
#forever#
# Use the checkval module
…
accounting {
#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail
#daily
#weekly
#monthly
#forever
…Further informations will follow.
EDIT2:
Ok, looks like a big bug. Copied my old configuration and commented out this lines. Now everything works. Can anybody explain me these settings?
-
I've written to patches for these files:
--- /usr/local/etc/raddb/sites-available/default 2012-12-12 07:50:48.000000000 +0100 +++ default 2012-12-12 07:39:34.000000000 +0100 @@ -197,10 +197,10 @@ # # Enforce daily limits on time spent logged in.[color][/color] - daily - weekly - monthly - forever + #daily + #weekly + #monthly + #forever # # Use the checkval module @@ -400,10 +400,10 @@ # Note that accounting requests which are proxied # are also logged in the detail file. detail - daily - weekly - monthly - forever + #daily + #weekly + #monthly + #forever ### This makes it possible to run the datacounter_acct module only on accounting-stop and interim-updates if ((request:Acct-Status-Type == Stop) || (request:Acct-Status-Type == Interim-Update)) {
--- /usr/local/etc/raddb/radiusd.conf 2012-12-12 07:49:27.000000000 +0100 +++ radiusd.conf 2012-12-12 07:38:03.000000000 +0100 @@ -87,10 +87,10 @@ exec expr - daily - weekly - monthly - forever + #daily + #weekly + #monthly + #forever expiration logintime ### Dis-/Enable sql instatiate
These two patches are applied via crontab every night. I know this is just a workaround.
-
It's not a bug. You have a missing config file on your system.
You should have a file called "counter" here:usr/local/etc/raddb/modules/
This is for granting time based access.
The function on freeradius.inc is called:freeradius_modulescounter_resync()
You will find it on line 2611.
And the initial configuration on line 112 and the following.
-
Ah ok, i remember this file. But it's there:
-rw-r----- 1 root wheel 3.6K Dec 7 13:27 /usr/local/etc/raddb/modules/counter
Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679
-
Ah ok, i remember this file. But it's there:
-rw-r----- 1 root wheel 3.6K Dec 7 13:27 /usr/local/etc/raddb/modules/counter
Here it is: http://paste.pcspinnt.de/pastebin.php?show=m64f35679
Ok, then the problem isn't freeradius but some missing files on your pfsense. missing packages like gdbm or something else.
That's why I said - backup the pfsense config, reinstall pfsense and restore config. this will reinstall all packages and restore all config.If this isn't the way you want to go - then you can modify the freeradius.inc file and uncomment the lines you posted.
Uncomment them on line 349 and 1596. Then you do not need any cron script. -
Hi there!
Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.With freeradius is working, but I cannot set bandwith limits… :(
With freeradius2 isn't communicating... :(any ideas? :)
Thanks in advance... :(
-
Hi there!
Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.With freeradius is working, but I cannot set bandwith limits… :(
With freeradius2 isn't communicating... :(any ideas? :)
Thanks in advance... :(
Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".Enable logging on freeradius2 to see what is happening on syslog.
-
Hi there!
Has anyone ever tried to set MikroTik RADIUS authentication?
I want to auth my AP-s from PF freeradius2.With freeradius is working, but I cannot set bandwith limits… :(
With freeradius2 isn't communicating... :(any ideas? :)
Thanks in advance... :(
Select an interface for authentication or set "*" for any interface.
on "client/NAS" set the IP address of the mikrotik AP and the correct password.
On Mikrotik set as RADIUS IP the IP of the listening interface and the correct/same password as on "Clients/NAS".Enable logging on freeradius2 to see what is happening on syslog.
hmmm…
Status: Services
radiusd FreeRADIUS Server StoppedBut I do not know why.... ???
I've checkd the log (all of /var/log) but nothing find why...
MikroTik log say:
timeot...Now I know why :-)
Where can I see why can't start service?
-
(…)
Where can I see why can't start service?Go to pfsense console and run freeradius in debug mode. You can do this with that command:
radiusd -X
The output will tell you what is missing/going wrong. If you have questions then please post the complete output you got.
-
In general you should create your CA ander server cert on pfsene Cert Manager.
then select these two certificates on freeradius -> EAP and save.Client certificates can be build on pfsense Cert Manager and export the .p12 file. This should work and the .p12 file should be without any password. can you try with an empty password ? But this is more a "pfsense" problem than a freeradius problem.
I am not sure but if I remember correct there was another thread here in the forum which is about the .p12 file and a password. Perhaps the search function can help you.
Thanks for the answer.
My Certificate Authority and certificate was created in pfsense Cert manager. I just created .pfx with openssl.
In first time i try with an empty password and second time with a password "pfsense" but exactly the same result.I use pfsense 2.0.1 AMD release.
Myke.
Did anyone get this working? I came across this relatively fresh posting because I ran into the same problem (didn't I? Maybe someone spots a difference below)
_I created a root-CA and a CA in pfSense cert-manager and created a server-cert and client-cert for EAP-TLS only. In Services->FreeRadius->EAP->CERTIFICATES FOR TLS I choose the CA, server-cert and client-cert. I checked "Create client.p12 for export" and saved.
When I download the .p12 file from /usr/local/etc/raddb/certs/client_cert.p12 or using the cert-manager I get asked for a password when trying to install them on OSX or iOS …_
Thanks a lot!!
Sascha -
By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty. (Default: whatever)
In general you should leave this password field on freeradius –> EAP empty. If it is the default one it is whatever
If the password field was empty then the password on this .p12 file is not freeradius related but pfsense cert manager related.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#EAP-TLS
-
This is exactly what I thought. That is why I am so surprised that it does not seem to work…
I left the password in EAP empty, but the .p12 ist protected.I also tried "whatever" but it didn't work. I tried all other passwords I used in this context, but also not the correct ones.
Is it possible to create the client .p12 on the Shell (not meaning the FreeRADIUS script)? Isn't it "simply" a cert created from my CA - in a special format? I am not that deep into this topic :-/
BTW: Initially I thought every User would identify himself using a personal cert. Is this a wrong assumption or just not implemented in the FreeRADIUS packages GUI? ... Or did I only miss it there?
Kind regards,
Sascha -
Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:
$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt
It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.
Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":
If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)
I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?
Maybe I'll find out soon, maybe not :-) I'll keep trying!
Kind regards,
Sascha -
Okay.
I've tried several hours and could not get a usable .p12 from the GUI. By usable I mean, a .p12 with a password that I know. I tried "whatever" and every other password I used (just 5 in total).Then I tried a different approach, which is not what I initially wanted, but I can live with it. I downloaded the CA.crt (not the key!) and the .crt, .key of the client-certificate from pfSense's cert-manager (the one I tried to export as .p12 before). In bash I converted them into the .p12 format:
$ openssl pkcs12 -export -out client_cert_user1.p12 -inkey client_cert_user1.key -in client_cert_user1.crt -certfile myCA.crt
It asked for a password and created the .p12-cert. I could import it in OSX and iOS and authentication using the .p12-cert worked.
I found the conde which generates the .p12 file:
https://github.com/bsdperimeter/pfsense/blob/master/usr/local/www/system_certmanager.phpif ($act == "p12") { if (!$a_cert[$id]) { pfSenseHeader("system_certmanager.php"); exit; } $exp_name = urlencode("{$a_cert[$id]['descr']}.p12"); $res_crt = openssl_x509_read(base64_decode($a_cert[$id]['crt'])); $res_key = openssl_pkey_get_private(array(0 => base64_decode($a_cert[$id]['prv']) , 1 => "")); $exp_data = ""; openssl_pkcs12_export($res_crt, $exp_data, $res_key, null); $exp_size = strlen($exp_data); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename={$exp_name}"); header("Content-Length: $exp_size"); echo $exp_data; exit; }
And this php command should create the file:
openssl_pkcs12_export($res_crt, $exp_data, $res_key, null);
A look at the manual shpws this:
http://php.net/manual/de/function.openssl-pkcs12-export.phpI do not see anything what could be wrong. Perhaps replace "null" with something else or try this as password.
Now I found out, that I can login (at least from my iPhone) if I enter the username that the client-cert has as CN (I checked "Check Client Certificate CN" in the EAP settings). But the user does not have to exist …. I have an empty user-table in FreeRADIUS (file is really empty, too) and login works, as long as I enter the same username that the certificate's CN is... strange thing. The GUI says about "Check Client Certificate CN":
If this is enabled then the common name of the client certificate must match the username you set in FreeRADIUS => Users. (Default: unchecked)
I thought that the client-cert would be useless, if the user is not existing in FreeRADIUS. Am I missing something? Or misunderstanding? Or is the username irrelevant if I have the client-cert installed?
Maybe I'll find out soon, maybe not :-) I'll keep trying!
Kind regards,
SaschaI found this on the net:
No, the only thing that check_cert_cn does is make sure that the CN in
the certificate matches the User-Name attribute in the RADIUS request.
It's basically just a sanity/security check on the request itself. It
does not go looking on other autz sources for you. It is up to you to
decide elsewhere (users file, SQL DB, LDAP) whether or not to allow that
user to authenticate. If you do nothing, the user will be allowed to
authenticate by default. If, for some reason, you decide you don't want
a user to be allowed to authenticate, you must specifically reject him.And here is the original eap.conf:
http://wiki.freeradius.org/Eap.conf/eaedb27b545ae8177cac6744ab09437c72594c1cFurther try with Disable weak EAP types and Default EAP Type = TLS
-
Guys i Hope you guys can help me .. im having a very funny thing happening. I have pfsense with freeradius 2 running. my mysql server is on same network and i can connect through the pfsense shell to the mysql server.
TThing is when i create a user it doesnt create it in the database (mysqlserver ) but just on the local one. I have tried looking on the logs and all i can see that doesnt look right is this .radiusd[62149]: rlm_sql (sql): Connected new DB handle, #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql_mysql: Starting connect to MySQL server for #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Attempting to connect to radius@172.22.2.12:3306/radius
Jan 14 20:40:22 radiusd[62149]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Jan 14 20:40:22 radiusd[62149]: Core dumps are enabled.
Jan 14 20:40:20 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'does anybody have a idea please. Im running version 2.0.2 of software.
-
If you add a user on freeradius –> USERS tab this will add a user on local "users" file. Not less and not more.
If you want to use a mysqld server - then you must add users on your mysql database. This cannot be done from freeradius GUI.
The only thing you can do on freeradius is to configure the connection to an external mysql database.So the log is telling you what is happening:
Attempting to connect to radius@172.22.2.12:3306/radius
freeradius tries to connect to your mysql server on IP172.22.2.12 on port 3306 - bot probably something went wrong.
Wrong database user and password and/or wrong database.This could help you:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL -
So what you trying to tell me is that the users are local??? what would happen if i have a user called koos trying to connect ….lets say he is in the mysql database but not in the local one????
will the user still be able to auth???