NEW Package: freeRADIUS 2.x
-
how fast will that update show in the snapshot???i see its in the github ??
The code is already pushed, just reinstall the package to get these fixes.
-
eish dont know if im doing something wrong but it looks a bit better but still no sql…I do see its still trying to connect to localhost even that I set it to ip of sql server.
Apr 20 20:45:37 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 20 20:45:37 php: /pkg_edit.php: The command '/usr/local/etc/rc.d/radiusd.sh stop' returned exit code '1', the output was 'radiusd not running?'
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
Apr 20 20:45:39 radiusd[21851]: rlm_sql_mysql: Starting connect to MySQL server for #0
Apr 20 20:45:39 radiusd[21851]: rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius
Apr 20 20:45:39 radiusd[21851]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Failed to connect DB handle #0
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Apr 20 20:45:39 radiusd[21851]: Failed to load clients from SQL.
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 4
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 3
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 2
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 1
Apr 20 20:45:39 radiusd[21851]: rlm_sql (sql): Closing sqlsocket 0
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to find "sql" in the "modules" section.
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
Apr 20 20:45:39 radiusd[21851]: /usr/pbi/freeradius-i386/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section.
Apr 20 20:45:39 radiusd[21851]: Failed to load virtual server <default></default> -
@skoenman
there was a small typo in the freeradius.inc file. Try to reinstall the package and please try again. -
I have successfully setup WPA2 Enterprise with EAP-TLS. Is there a way to create a user, that is not allowed to login with a password? I just want to use certificates and I have noticed that I can login (via MSCHAPv2 I guess) without certificates by just providing the user/password combo I created. Leaving the password entry empty allows the user to login without any password, so that is not an option.
For a test, I removed "Cleartext-Password :=" leaving just the username in the file "users". That seems to prevent the user from logging in with an empty password while still allowing login using certificates.
Is there a more elegant way to do this? Don't know if it is a supported option to just put a user in "users" without any option afterwards. But if it was, could it be made an option in the in users sections of the freeradius2 package? -
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration
Try with the docs. Disable weak EAP types. enable check cert user.
-
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#General_EAP_configuration
Try with the docs. Disable weak EAP types. enable check cert user.
Thanks for the quick answer, I used the wiki for my initial setup some time ago.
I'm sorry if I overlooked something, but I cannot find "check cert user", do you mean "Check Client Certificate CN"? That is already checked.
I found out that I can delete the user completely and still login via EAP-TLS when no user is defined. It seems any certificate issued by the pfSense internal CA is vaild for login now, even though I selected a specific cert in "CERTIFICATES FOR TLS" for "SSL Client Certificate". Cannot find any reference to that cert in eap.conf, though. Where would that client cert be found?
Here are my settings:
-
@athurdent
I just posted the docs to make sure you found the information there.In general EAP-TLS works without username and password. If the client has a valid client certificate which matches the CA on the freeradius server then the authentication will work.
If you enable "Check Client Certificate CN" then the common name of the client certificate must match the username (and password) in the users file. If you disable "Check Client Certificate CN" then the users file will not be checked.
On the GUI screenshots you posted there is something which shouldn't be there and confuses people in the past. I updated that yesterday and forget something which I removed right now. Reinstall the packages "GUI" and it will remove useless "SSL Client Certificate". (This was a kind of export feature which is useless and can be done from SYSTEM –> Cert Manager --> Certificate --> Download .p12)
The only certificates you need to enter on the freeradius GUI is the CA and the server certificate. Client certificate must be copied to your WLAN client. Perhaps try with a new client certificate and remove the old one from your machine or create a complete new CA and server certificate and client certificate.
If you like to read more about "Check Client Certificate CN" then google for "check_cert_cn" which is the configuration line on freeradius eap.conf file. I do not find to much on the web.
Hope this will help you!
-
Guys got the freeradius to run…now i added a user with password but it wasnt addded to the db what could be the problem???sql db???it doesnt give any errors in the logs and connects fine...does pfsense update the username and password into the db and if so how often???
edit i have whmcs creating the username and password but need to import it into pfsense???
-
Guys got the freeradius to run…now i added a user with password but it wasnt addded to the db what could be the problem???sql db???it doesnt give any errors in the logs and connects fine...does pfsense update the username and password into the db and if so how often???
edit i have whmcs creating the username and password but need to import it into pfsense???
Hi,
nice to hear that it is running now.If you are using mysql as database for authentication then you need to put the usernames and passwords into the mysql database. Do this with phpmyadmin or something else.
If you add a user on "FreeRADIUS –> Users" then the users will not be stored on the database they will be stored in the local users file.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL -
so at this stage theres no way to sync local db to mysql db???
-
so at this stage theres no way to sync local db to mysql db???
No, that's not the intention.
If you want to use redundancy then you must use 2 SQL databases and use the loadbalance functions.
-
If you enable "Check Client Certificate CN" then the common name of the client certificate must match the username (and password) in the users file. If you disable "Check Client Certificate CN" then the users file will not be checked.
Thanks for the quick answer and fixing the package!
Regarding "check_cert_cn": I think the client certificate CN only has to match the username you send in your radius request, the users file does not seem to be parsed at all. Like I said, I currently have an empty users file, have enabled "Check Client Certificate CN" and I can login with my wlan cert.
Post no 2 in this link seems to confirm this:
http://www.linuxhorizon.com/1-unix/30bd220de93c4195.htmIf you think that is correct and not just specific to my setup, maybe the wiki entry for EAP-TLS should be flagged with a warning that adding a user and password to "users" also allows logins without cert and just username/password?
Anyway, many thanks again, I am happy with my setup now as no one is allowed to login via username/password. And if a cert needs to be blocked, I just revoke it using that nice new CRL option ;)
-
@athurdent
What you say seems to be correct. In general you just allow authentication methods on the server configuration which you really want to use. The package ist not as flexible as a config file which you can edit with a text editor.So if you mix authentication methods like some clients should use EAP-TLS, others just username/password, this could have unwanted side effects.
Perhaps this could be something for the future freeradius packages :-)
-
radiusd -X do not start
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1366719452 [2013-04-23 23:17:32], Next reset 1366722000 [2013-04-24 00:00:00]
ERROR: Cannot find a configuration entry for module "weekly".after reboot
Failed binding to /var/run/radiusd/radiusd.sock: No such file or directory
Please help!
-
Try to reinstall the FreeRADIUS GUI.
-
Updates pkg v1.6.7_2:
- Modified: XMLRPC sync code to generalize it with other packages and added the possibility to make it automatically sync with CARP members.
The code was changed by marcelloc because of an intention of the developers to make it more consistent with other pfsense functions. I just copied it over and hopefully made it workable with freeradius2. You probably need to confirm the XMLRPC configurations after you updated the package.
Known bugs:
-
When using "stop/start accounting on CP then "Amount of Time/Amount of Traffic" isn't working correctly.
http://redmine.pfsense.org/issues/2164 -
When using CP + RADIUS + Vouchers and "reauthenticate every minute" is enabled then CP sends the voucher as username to RADIUS. This causes RADIUS to disconnect the "user/voucher" because of an unknown/wrong "username".
http://redmine.pfsense.org/issues/2155 -
When stop/start accounting on CP is enabled than the syslog shows many "wrong order" or "Login found bot no logout detected". This seems to not affect the usage of RADIUS but it is not 100% correct.
http://redmine.pfsense.org/issues/2143
-
Hi, i have some problem too :)
i need to use sql feature, but when i enable SQL , my radius stop working,
do you have any idea? -
Hi, i have some problem too :)
i need to use sql feature, but when i enable SQL , my radius stop working,
do you have any idea?Yes.
FreeRADIUS just connects to a SQL server - it has no own sql server. What you have to do is to install a SQL server somewhere else and then connect freeradius to this sql server.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL -
already i have PHPMYSQL, it's working, but when i try to connect to my sql server, radius stops running?
http://imageshack.us/photo/my-images/571/524201391520am.jpg
http://imageshack.us/photo/my-images/259/524201391628am.jpg
http://imageshack.us/photo/my-images/254/524201391723am.jpgAnd here the debug
$ radiusd -X FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jun 19 2012 at 09:11:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2\. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/motp including configuration file /usr/local/etc/raddb/modules/datacounter_acct including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client deneme { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" shortname = "deneme" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1369440000 [2013-05-25 00:00:00] Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1369526400 [2013-05-26 00:00:00] Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1370044800 [2013-06-01 00:00:00] Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 0 [2013-05-24 03:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp exec motp { wait = yes program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "192.168.1.226" port = "3306" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = yes sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@192.168.1.226:3306/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server radius@192.168.1.226:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'192.168.1.1' (using password: YES)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 Failed to load clients from SQL. rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 /usr/local/etc/raddb/sql.conf[2]: Instantiation failed for module "sql" /usr/local/etc/raddb/sites-enabled/default[185]: Failed to load module "sql". /usr/local/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry. /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. -
Looks like your mysql password or username is wrong. Check with a simple password without complex characters to make sure it works.
rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'192.168.1.1' (using password: YES)'Further you need to create the correct tables on your database and you need to add the clients/nas in the database and the users, too.
If you are using a database as backend then the freeradius2 GUI "Users" and "Client/NAS" is obsolete.I myself do not use mysql so I cannot help you much on that - that's why I posted you the links in my previous post.
–-- edit ----
When you go to freeradius --> view config --> sql.conf
there you can see the sql.conf as textfile. You can check there if the settings you made on GUI are correct and doublecheck with documentations on the internet.
