NEW Package: freeRADIUS 2.x
-
Guys got the freeradius to run…now i added a user with password but it wasnt addded to the db what could be the problem???sql db???it doesnt give any errors in the logs and connects fine...does pfsense update the username and password into the db and if so how often???
edit i have whmcs creating the username and password but need to import it into pfsense???
Hi,
nice to hear that it is running now.If you are using mysql as database for authentication then you need to put the usernames and passwords into the mysql database. Do this with phpmyadmin or something else.
If you add a user on "FreeRADIUS –> Users" then the users will not be stored on the database they will be stored in the local users file.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL -
so at this stage theres no way to sync local db to mysql db???
-
so at this stage theres no way to sync local db to mysql db???
No, that's not the intention.
If you want to use redundancy then you must use 2 SQL databases and use the loadbalance functions.
-
If you enable "Check Client Certificate CN" then the common name of the client certificate must match the username (and password) in the users file. If you disable "Check Client Certificate CN" then the users file will not be checked.
Thanks for the quick answer and fixing the package!
Regarding "check_cert_cn": I think the client certificate CN only has to match the username you send in your radius request, the users file does not seem to be parsed at all. Like I said, I currently have an empty users file, have enabled "Check Client Certificate CN" and I can login with my wlan cert.
Post no 2 in this link seems to confirm this:
http://www.linuxhorizon.com/1-unix/30bd220de93c4195.htmIf you think that is correct and not just specific to my setup, maybe the wiki entry for EAP-TLS should be flagged with a warning that adding a user and password to "users" also allows logins without cert and just username/password?
Anyway, many thanks again, I am happy with my setup now as no one is allowed to login via username/password. And if a cert needs to be blocked, I just revoke it using that nice new CRL option ;)
-
@athurdent
What you say seems to be correct. In general you just allow authentication methods on the server configuration which you really want to use. The package ist not as flexible as a config file which you can edit with a text editor.So if you mix authentication methods like some clients should use EAP-TLS, others just username/password, this could have unwanted side effects.
Perhaps this could be something for the future freeradius packages :-)
-
radiusd -X do not start
rlm_counter: Counter attribute Daily-Session-Time is number 11273
rlm_counter: Current Time: 1366719452 [2013-04-23 23:17:32], Next reset 1366722000 [2013-04-24 00:00:00]
ERROR: Cannot find a configuration entry for module "weekly".after reboot
Failed binding to /var/run/radiusd/radiusd.sock: No such file or directory
Please help!
-
Try to reinstall the FreeRADIUS GUI.
- 23 days later
-
Updates pkg v1.6.7_2:
- Modified: XMLRPC sync code to generalize it with other packages and added the possibility to make it automatically sync with CARP members.
The code was changed by marcelloc because of an intention of the developers to make it more consistent with other pfsense functions. I just copied it over and hopefully made it workable with freeradius2. You probably need to confirm the XMLRPC configurations after you updated the package.
Known bugs:
-
When using "stop/start accounting on CP then "Amount of Time/Amount of Traffic" isn't working correctly.
http://redmine.pfsense.org/issues/2164 -
When using CP + RADIUS + Vouchers and "reauthenticate every minute" is enabled then CP sends the voucher as username to RADIUS. This causes RADIUS to disconnect the "user/voucher" because of an unknown/wrong "username".
http://redmine.pfsense.org/issues/2155 -
When stop/start accounting on CP is enabled than the syslog shows many "wrong order" or "Login found bot no logout detected". This seems to not affect the usage of RADIUS but it is not 100% correct.
http://redmine.pfsense.org/issues/2143
-
Hi, i have some problem too :)
i need to use sql feature, but when i enable SQL , my radius stop working,
do you have any idea? -
Hi, i have some problem too :)
i need to use sql feature, but when i enable SQL , my radius stop working,
do you have any idea?Yes.
FreeRADIUS just connects to a SQL server - it has no own sql server. What you have to do is to install a SQL server somewhere else and then connect freeradius to this sql server.
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#MySQL -
already i have PHPMYSQL, it's working, but when i try to connect to my sql server, radius stops running?
http://imageshack.us/photo/my-images/571/524201391520am.jpg
http://imageshack.us/photo/my-images/259/524201391628am.jpg
http://imageshack.us/photo/my-images/254/524201391723am.jpgAnd here the debug
$ radiusd -X FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jun 19 2012 at 09:11:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2\. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/motp including configuration file /usr/local/etc/raddb/modules/datacounter_acct including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client deneme { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" shortname = "deneme" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1369440000 [2013-05-25 00:00:00] Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1369526400 [2013-05-26 00:00:00] Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 1370044800 [2013-06-01 00:00:00] Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1369367889 [2013-05-24 03:58:09], Next reset 0 [2013-05-24 03:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp exec motp { wait = yes program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "192.168.1.226" port = "3306" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = yes sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@192.168.1.226:3306/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql_mysql: Couldn't connect socket to MySQL server radius@192.168.1.226:radius rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'192.168.1.1' (using password: YES)' rlm_sql (sql): Failed to connect DB handle #0 rlm_sql (sql): starting 1 rlm_sql (sql): starting 2 rlm_sql (sql): starting 3 rlm_sql (sql): starting 4 rlm_sql (sql): Failed to connect to any SQL server. rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Ignoring unconnected handle 4.. rlm_sql (sql): Ignoring unconnected handle 3.. rlm_sql (sql): Ignoring unconnected handle 2.. rlm_sql (sql): Ignoring unconnected handle 1.. rlm_sql (sql): Ignoring unconnected handle 0.. rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0 Failed to load clients from SQL. rlm_sql (sql): Closing sqlsocket 4 rlm_sql (sql): Closing sqlsocket 3 rlm_sql (sql): Closing sqlsocket 2 rlm_sql (sql): Closing sqlsocket 1 rlm_sql (sql): Closing sqlsocket 0 /usr/local/etc/raddb/sql.conf[2]: Instantiation failed for module "sql" /usr/local/etc/raddb/sites-enabled/default[185]: Failed to load module "sql". /usr/local/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry. /usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize section. -
Looks like your mysql password or username is wrong. Check with a simple password without complex characters to make sure it works.
rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'192.168.1.1' (using password: YES)'Further you need to create the correct tables on your database and you need to add the clients/nas in the database and the users, too.
If you are using a database as backend then the freeradius2 GUI "Users" and "Client/NAS" is obsolete.I myself do not use mysql so I cannot help you much on that - that's why I posted you the links in my previous post.
–-- edit ----
When you go to freeradius --> view config --> sql.conf
there you can see the sql.conf as textfile. You can check there if the settings you made on GUI are correct and doublecheck with documentations on the internet. -
dumb question here.. I have over 30 network devices and many of them do not have the option for RADIUS authentication as they are physically connected.. for example my Smart TVs, Blu-Ray players, Setop Boxes. etc. Is there a pure MAC only based authentication option in freeRADIUS that I can implement to keep my network secured and not let anyone plug anything new to the network ports unless their MAC is in freeRADIUS database?
-
dumb question here.. I have over 30 network devices and many of them do not have the option for RADIUS authentication as they are physically connected.. for example my Smart TVs, Blu-Ray players, Setop Boxes. etc. Is there a pure MAC only based authentication option in freeRADIUS that I can implement to keep my network secured and not let anyone plug anything new to the network ports unless their MAC is in freeRADIUS database?
You need to do that with port access control on your switch.
-
thank you for your replyy
i think right now it's connecting to my phpmyadmin
Can you check the debug?$ radiusd -X FreeRADIUS Version 2.1.12, for host i386-portbld-freebsd8.1, built on Jun 19 2012 at 09:11:11 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2\. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/redis including configuration file /usr/local/etc/raddb/modules/rediswho including configuration file /usr/local/etc/raddb/modules/replicate including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/soh including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/motp including configuration file /usr/local/etc/raddb/modules/datacounter_acct including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default main { allow_core_dumps = yes } Core dumps are enabled. including dictionary file /usr/local/etc/raddb/dictionary main { name = "radiusd" prefix = "/usr/local" localstatedir = "/var" sbindir = "/usr/local/sbin" logdir = "/var/log" run_dir = "/var/run" radacctdir = "/var/log/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no msg_badpass = "" msg_goodpass = "" } security { max_attributes = 200 reject_delay = 1 status_server = no } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client deneme { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" shortname = "deneme" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_counter Module: Instantiating module "daily" from file /usr/local/etc/raddb/modules/counter counter daily { filename = "/var/log/radacct/timecounter/db.daily" key = "User-Name" reset = "daily" count-attribute = "Acct-Session-Time" counter-name = "Daily-Session-Time" check-name = "Max-Daily-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Daily-Session-Time is number 11273 rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 1369526400 [2013-05-26 00:00:00] Module: Instantiating module "weekly" from file /usr/local/etc/raddb/modules/counter counter weekly { filename = "/var/log/radacct/timecounter/db.weekly" key = "User-Name" reset = "weekly" count-attribute = "Acct-Session-Time" counter-name = "Weekly-Session-Time" check-name = "Max-Weekly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Weekly-Session-Time is number 11275 rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 1369526400 [2013-05-26 00:00:00] Module: Instantiating module "monthly" from file /usr/local/etc/raddb/modules/counter counter monthly { filename = "/var/log/radacct/timecounter/db.monthly" key = "User-Name" reset = "monthly" count-attribute = "Acct-Session-Time" counter-name = "Monthly-Session-Time" check-name = "Max-Monthly-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Monthly-Session-Time is number 11277 rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 1370044800 [2013-06-01 00:00:00] Module: Instantiating module "forever" from file /usr/local/etc/raddb/modules/counter counter forever { filename = "/var/log/radacct/timecounter/db.forever" key = "User-Name" reset = "never" count-attribute = "Acct-Session-Time" counter-name = "Forever-Session-Time" check-name = "Max-Forever-Session" reply-name = "Session-Timeout" cache-size = 5000 } rlm_counter: Counter attribute Forever-Session-Time is number 11279 rlm_counter: Current Time: 1369450665 [2013-05-25 02:57:45], Next reset 0 [2013-05-25 02:00:00] Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Creating Auth-Type = MOTP Module: Creating Auth-Type = digest Module: Creating Autz-Type = Status-Server Module: Creating Acct-Type = Status-Server Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes allow_retry = yes } Module: Instantiating module "motp" from file /usr/local/etc/raddb/modules/motp exec motp { wait = yes program = "/usr/local/bin/bash /usr/local/etc/raddb/scripts/otpverify.sh %{request:User-Name} %{request:User-Password} %{reply:MOTP-Init-Secret} %{reply:MOTP-PIN} %{reply:MOTP-Offset}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /usr/local/etc/raddb/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/usr/local/etc/raddb/certs" pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "whatever" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = yes } Module: Instantiating module "ntdomain" from file /usr/local/etc/raddb/modules/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = yes } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /usr/local/etc/raddb/sql.conf sql { driver = "rlm_sql_mysql" server = "192.168.1.226" port = "3306" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = yes sqltracefile = "/var/log/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id, nasname, shortname, type, secret, server FROM nas" authorize_check_query = "SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_reply_query = "SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id" authorize_group_check_query = "SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id" authorize_group_reply_query = "SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id" accounting_onoff_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = unix_timestamp('%S') - unix_timestamp(acctstarttime), acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = %{%{Acct-Delay-Time}:-0} WHERE acctstoptime IS NULL AND nasipaddress = '%{NAS-IP-Address}' AND acctstarttime <= '%S'" accounting_update_query = " UPDATE radacct SET framedipaddress = '%{Framed-IP-Address}', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_update_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctsessiontime, acctauthentic, connectinfo_start, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, servicetype, framedprotocol, framedipaddress, acctstartdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '%{%{Acct-Delay-Time}:-0}', '0', '%{X-Ascend-Session-Svr-Key}')" accounting_start_query_alt = " UPDATE radacct SET acctstarttime = '%S', acctstartdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_start = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query = " UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}'" accounting_stop_query_alt = " INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{%{Acct-Session-Time}:-0} + %{%{Acct-Delay-Time}:-0}) SECOND), '%S', '%{Acct-Session-Time}', '%{Acct-Authentic}', '', '%{Connect-Info}', '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', '%{Called-Station-Id}', '%{Calling-Station-Id}', '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}', '0', '%{%{Acct-Delay-Time}:-0}')" group_membership_query = "SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "SELECT radacctid, acctsessionid, username, nasipaddress, nasportid, framedipaddress, callingstationid, framedprotocol FROM radacct WHERE username = '%{SQL-User-Name}' AND acctstoptime IS NULL" postauth_query = "INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S')" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql): Attempting to connect to radius@192.168.1.226:3306/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_mysql #0 rlm_sql_mysql: Starting connect to MySQL server for #0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_mysql #1 rlm_sql_mysql: Starting connect to MySQL server for #1 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_mysql #2 rlm_sql_mysql: Starting connect to MySQL server for #2 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_mysql #3 rlm_sql_mysql: Starting connect to MySQL server for #3 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_mysql #4 rlm_sql_mysql: Starting connect to MySQL server for #4 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_mysql: query: SELECT id, nasname, shortname, type, secret, server FROM nas rlm_sql (sql): Released sql socket id: 4 Module: Linked to module rlm_checkval Module: Instantiating module "checkval" from file /usr/local/etc/raddb/modules/checkval checkval { item-name = "Calling-Station-Id" check-name = "Calling-Station-Id" data-type = "string" notfound-reject = no } rlm_checkval: Registered name Calling-Station-Id for attribute 31 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "datacounterdaily" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterdaily { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} daily %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterweekly" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterweekly { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} weekly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacountermonthly" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacountermonthly { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} monthly %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Instantiating module "datacounterforever" from file /usr/local/etc/raddb/modules/datacounter_acct exec datacounterforever { wait = yes program = "/bin/sh /usr/local/etc/raddb/scripts/datacounter_acct.sh %{request:User-Name} forever %{request:Acct-Input-Octets} %{request:Acct-Output-Octets}" input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/var/log/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking pre-proxy {...} for more modules to load Module: Instantiating module "attr_filter.pre-proxy" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.pre-proxy { attrsfile = "/usr/local/etc/raddb/attrs.pre-proxy" key = "%{Realm}" relaxed = no } Module: Checking post-proxy {...} for more modules to load Module: Instantiating module "attr_filter.post-proxy" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.post-proxy { attrsfile = "/usr/local/etc/raddb/attrs" key = "%{Realm}" relaxed = no } Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 1812 Failed binding to authentication address 127.0.0.1 port 1812: Address already in use /usr/local/etc/raddb/radiusd.conf[36]: Error binding to port for 127.0.0.1 port 1812 -
I followed this tutorial to the letter:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
However, I'm seeing "radtest:: Failed to find IP address for pfSense.localdomain"
I also see this:
May 25 05:17:03 radiusd[4072]: Ready to process requests.
May 25 05:17:03 radiusd[3799]: Loaded virtual server <default>Any ideas?Edit: I found that if I add a host override in my dns forwarder, the error goes away. Is this a bug?</default>
-
dumb question here.. I have over 30 network devices and many of them do not have the option for RADIUS authentication as they are physically connected.. for example my Smart TVs, Blu-Ray players, Setop Boxes. etc. Is there a pure MAC only based authentication option in freeRADIUS that I can implement to keep my network secured and not let anyone plug anything new to the network ports unless their MAC is in freeRADIUS database?
I have this running on PF2.0.3
Mac auth http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package#FreeRADIUS_Plain-MAC-Auth_with_Captive_Portal
each device's mac address is entered as a user name. They all get the same PW.
It's a bit of work setting it up.
IE if you have 1 or 2 wireless AP's I found the best way was to add there IP in the pass through page of CP and make a user with the mac address for all the connected devices.
You can watch the portal auth log for errors and it will show you the mac that's trying to connect. Copy and paste in a new user field.Setup time limits for users (devices) Bandwidth control counter seems to work fine in 2.0.3 with start stop in cp.
-
@surucu24
Connection to mysql seems to be ok but it looks like your listening interface is already used.
Easiest way to configure the listening interface is to create an interface for authentication (1812) and one for accounting (1813) if needed.as IP address just use * which means all interfaces. This is the best way to make sure that the basic configuration is working.
@vbman213:
I followed this tutorial to the letter:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
However, I'm seeing "radtest:: Failed to find IP address for pfSense.localdomain"
I also see this:
May 25 05:17:03 radiusd[4072]: Ready to process requests.
May 25 05:17:03 radiusd[3799]: Loaded virtual server <default>Any ideas?Edit: I found that if I add a host override in my dns forwarder, the error goes away. Is this a bug?</default>
The both syslog messages say that the configuration for the server "default" is working and the radius server is running and waiting for requests.
If radtest is working with IP addresses then radius is working. If it does not wir FQDN then something with your DNS needs to be fixed.
-
I am running a virgin installation of 2.0.3 and having this issue, even with using * as the listening interface.
I installed the package, created a user, created an interface using * as the interface, port 1812 authentication.
Then I created an client.
Running radtest testuser testpassword 127.0.0.1:1812 0 testing123 results in the "Failed to find IP address"
-
@surucu24
Connection to mysql seems to be ok but it looks like your listening interface is already used.
Easiest way to configure the listening interface is to create an interface for authentication (1812) and one for accounting (1813) if needed.as IP address just use * which means all interfaces. This is the best way to make sure that the basic configuration is working.
@vbman213:
I followed this tutorial to the letter:
http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
However, I'm seeing "radtest:: Failed to find IP address for pfSense.localdomain"
I also see this:
May 25 05:17:03 radiusd[4072]: Ready to process requests.
May 25 05:17:03 radiusd[3799]: Loaded virtual server <default>Any ideas?Edit: I found that if I add a host override in my dns forwarder, the error goes away. Is this a bug?</default>
The both syslog messages say that the configuration for the server "default" is working and the radius server is running and waiting for requests.
If radtest is working with IP addresses then radius is working. If it does not wir FQDN then something with your DNS needs to be fixed.
Okay, I just confirmed that I found a "bug" in either the package or the documentation for the package. If you only have a WAN interface defined, the tutorial in the documentation does not work.
-
Hi vbman213,
when I wrote the documentation I tested with two interfaces. I don't see actually a reason why it should be different when using just one interface so could you explain what you did different?
-
I was lab testing a freeradius deployment on a virtualbox pfsense installation. I only had one interface (WAN) configured from from the post-installation console prompts. The VM actually had two interfaces "installed" but I didn't bother to configure the LAN interface. The WAN interface was configured as a bridge to my physical lan and I just ran pfctl -d to disable the packet filter to create a wildcard rule to allow all traffic into the wan interface. At that point, I followed the tutorial provided in the wiki and received the messages that i posted earlier. After experimenting, I found that the problem involved DNS and upon adding a LAN interface, everything starting working as per the tutorial. Does this help?
-
Hmm, not sure.
Could it be a problem with NAT/PortForwarding on the WAN interface or "block bogons" or "block local IPs" on the WAN interface which could be there bei default!?
When you go to freeradius –> view config --> radiusd.conf
There you can find some "listening" sections which specify the IP and port freeradius listens to. That means that the switch or wireless-AP must be able to communicate with this IP and port.
This shouldn't make any difference if the pfsense is running with one or two interfaces nor as bridge or router. - 7 days later
-
Hi!
Please help me in resolving the below errors whenever running radiusd -X
rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked
rlm_sql (sql): Attempting to connect to radius@172.16.10.19:3306/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
rlm_sql_mysql: Starting connect to MySQL server for #0
rlm_sql_mysql: Couldn't connect socket to MySQL server radius@172.16.10.19:radius
rlm_sql_mysql: Mysql error 'Can't connect to MySQL server on '172.16.10.19' (60)'
rlm_sql (sql): Failed to connect DB handle #0
rlm_sql (sql): starting 1
rlm_sql (sql): starting 2
rlm_sql (sql): starting 3
rlm_sql (sql): starting 4
rlm_sql (sql): Failed to connect to any SQL server.
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id, nasname, shortname, type, secret, server FROM nas
rlm_sql (sql): Ignoring unconnected handle 4..
rlm_sql (sql): Ignoring unconnected handle 3..
rlm_sql (sql): Ignoring unconnected handle 2..
rlm_sql (sql): Ignoring unconnected handle 1..
rlm_sql (sql): Ignoring unconnected handle 0..
rlm_sql (sql): There are no DB handles to use! skipped 5, tried to connect 0
Failed to load clients from SQL.
rlm_sql (sql): Closing sqlsocket 4
rlm_sql (sql): Closing sqlsocket 3
rlm_sql (sql): Closing sqlsocket 2
rlm_sql (sql): Closing sqlsocket 1
rlm_sql (sql): Closing sqlsocket 0
/usr/local/etc/raddb/sql.conf[2]: Instantiation failed for module "sql"
/usr/local/etc/raddb/sites-enabled/default[185]: Failed to load module "sql".
/usr/local/etc/raddb/sites-enabled/default[185]: Failed to parse "sql" entry.
/usr/local/etc/raddb/sites-enabled/default[69]: Errors parsing authorize sectionThanks & Regards
Harsh Kukreja
-
(warning ahead I'm not used to configuring FreeRADIUS on pfSense/GUI but rather in plain configs)
Anyway: It means that your FreeRADIUS server is trying to connect to a (likely to be) remote MySQL server (172.16.10.19) which it can't connect to.
Since you must have configured it for SQL user authentication, it can't start correctly as it can't read a valid list of users from your MySQL server.Try to fix the connection to the MySQL server or disable MySQL authentication/authorization (for test) and try to use local authentication.
Are you positive about using SQL for authentication? I only use it for RADIUS accounting and thereafter limiting concurrent access - so
that's my real-world use with (Postgre)SQL. -
Hi ,
i tried the package with otp and it work's but if client is behind server time (my mobile provider is 30 sec in the past !) i am not able to login (tested with radtest) .
worked like a charme with online mtop calculator but never with DroidOTP and "TIME OFFSET 30 or -30 "
Maybe i am doing something wrong but i do not know what.
The OTP Passcode from the mobile phone is 30 sec. later the same as the online calc did.Maybe someone can give a hint or maybe minus offset is not possible ….
regards
max
-
Hi ,
i tried the package with otp and it work's but if client is behind server time (my mobile provider is 30 sec in the past !) i am not able to login (tested with radtest) .
worked like a charme with online mtop calculator but never with DroidOTP and "TIME OFFSET 30 or -30 "
Maybe i am doing something wrong but i do not know what.
The OTP Passcode from the mobile phone is 30 sec. later the same as the online calc did.Maybe someone can give a hint or maybe minus offset is not possible ….
regards
max
Hi,
Did you calculate the Epoch-Time?
1. Write down the first 9 digits of the Epoch-Time on the client.
2. Check with date +%s the Epoch-Time on your FreeRADIUS server and write down the first 9 digits.
3. Subtract both values, multiply the result with 10 and enter the value in this field. (Default: 0)But in general it should not neccessary to change this if your mobile device changes its timezone automatically.
Further you can try increasing the "OTP Lifetime" in freeradius –> settings.
You can set it to 6 which means 60s. Even if the mobile clients always generate new keys every 30s it should be possible to use a generated key 60s instead of just 30s.The more you increase this time the more "insecure" OTP will become. Probably noone will get access with a key (without PIN) which has a lifetime of a few minutes.
---- edit ----
You are right. The script does not accept negative values. You could modify the script here:
freeradius.inc
line 4027
replace:EPOCHTIME=`expr \$EPOCHTIME + \$OFFSET`with
EPOCHTIME=`expr \$EPOCHTIME - \$OFFSET`Could be something what should be added to the GUI.
-
Hi,
yes i calc the epoch time like descript on the web interface:
(9digits (from left client time) - 9digit (from left server time)) *10 = -30date +%s = 10digits, so why the hell not taking (10digits (from left client time) - 10digits (from left server time)) = 30 ?? (or if 39 nearer 40 than 30 !!)
It's not a problem of the timezone it's a mobile provider problem; the android is 30 sec in the past.
(Is the offset 1 equal 1 hour, i hope not.)If i set the lifetime on server side higher than on the client (DroidOTP is fixed to 10 sec lifetime) than i had guess/try 6 keys maybe on is working not a good idea.
I know to solve the problem with manual set the client time but i want to find out how it work with time offset and maybe there is a bug or a wrong hint on the webinterface
regards max
–----edit----
The Gui save the Offset in the right way:/usr/pbi/freeradius-i386/etc/users
"otpuser" Auth-Type = motp
MOTP-Init-Secret = 912ae1361854139e,
MOTP-PIN = 1234,
MOTP-Offset = -30Use Freeradius teh otpverify.sh script ? If yes then there is the faulty part
OFFSET=
echo -n "$5" | sed 's/[^0-9]/0/g'
[[/sub]
-10 is then 010….
should beOFFSET=
echo -n "$5" | sed 's/[^0-9-]/0/g'but is a little be dirty could also be 1-0 …..
-
Hi,
yes i calc the epoch time like descript on the web interface:
(9digits (from left client time) - 9digit (from left server time)) *10 = -30date +%s = 10digits, so why the hell not taking (10digits (from left client time) - 10digits (from left server time)) = 30 ?? (or if 39 nearer 40 than 30 !!)
It's not a problem of the timezone it's a mobile provider problem; the android is 30 sec in the past.
(Is the offset 1 equal 1 hour, i hope not.)If i set the lifetime on server side higher than on the client (DroidOTP is fixed to 10 sec lifetime) than i had guess/try 6 keys maybe on is working not a good idea.
I know to solve the problem with manual set the client time but i want to find out how it work with time offset and maybe there is a bug or a wrong hint on the webinterface
regards max
–----edit----
The Gui save the Offset in the right way:/usr/pbi/freeradius-i386/etc/users
"otpuser" Auth-Type = motp
MOTP-Init-Secret = 912ae1361854139e,
MOTP-PIN = 1234,
MOTP-Offset = -30Use Freeradius teh otpverify.sh script ? If yes then there is the faulty part
OFFSET=
echo -n "$5" | sed 's/[^0-9]/0/g'
[[/sub]
-10 is then 010….
should beOFFSET=
echo -n "$5" | sed 's/[^0-9-]/0/g'but is a little be dirty could also be 1-0 …..
Did you read what I wrote about the part on the freeradius.inc ?
-
Yes i did.
But if i do it like you said then the offset is always minus.
In freeradius.inc
there is the same 'sed' in line 4006:OFFSET=
echo -n "\$5" | sed 's/[^0-9]/0/g'regards max
-
Yes i did.
But if i do it like you said then the offset is always minus.
In freeradius.inc
there is the same 'sed' in line 4006:OFFSET=
echo -n "\$5" | sed 's/[^0-9]/0/g'regards max
Hi max,
can you please replace the following two files and try again if it works now?
You now have to enter + 30 oder - 30
It is described on the GUI. -
Hi,
sorry for the long delay. Your scripts are not working. I did some investigation on EPOCHTIME and extend the freeradius.inc with some logs.
I found out that the Offset 1 is equal to 10 sec (not like descripted on the webif) because the use of 9 digit and not 10.
I changed only
OFFSET=echo -n "\$5" | sed 's/[^0-9-]/0/g'and add 2 logging lines
Jun 14 16:11:10 root: FreeRADIUS:Server - Client EPOCHTIME: 137121900
Jun 14 16:11:10 root: FreeRADIUS:Server EPOCHTIME: 137121905 ClientOffSet:-5 oder -5regards Max
-
Hi,
(…)
I found out that the Offset 1 is equal to 10 sec (not like descripted on the webif) because the use of 9 digit and not 10.
(...)I think you are wrong:
3. Subtract both values, multiply the result with 10 and enter the value in this field.
If your result is 2 then you need to multiply with 10 (2*10=20) and then you get the seconds.
But you are right, the script is not working. adding "+" or "-" in the freeradius users file causes problems.
At the moment I do not have an idea how to solve the problem with negatgive offset.
Perhaps starting with a negative offset of -11h as default value so that the user needs to add +11h to get the actual default offset of 0.The script is based on this:
http://motp.sourceforge.net/–-- edit ----
Ok, I changed the script to start per default with an offset of -12h. If someone is in a timezone which is -12h then the GUI value will be 0.
If someone is on timezone 0h then the GUI value must be 720.You can try with the two config files.
PS: You need to re-enable m-OTP on settings first after adding the new files so that otpverify.sh will be rubuild.
-
Hmpf - again new files. Please try these ;-)
-
Hi Nachtfalke,
i think you misunderstood me; it works with my 'patch'
i have to set offset to -5 because of 50 sec time diff (not -50 like suggest in on the webIF)see motp.sourceforge.net
Enter "date +%s" on the server to display the current time in epoch notation. Write down the first 9 digits of the output.
Subtract both values. The result is the offset in 10s of seconds, i.e. an hour would be 360, two hours 720, etc.
The offset has to be configured in the "users" file of the RADIUS server for the specific user (Offset-Attribute).sorry for my english, my german is better….
I have some idea to add more security to the radius otp: motp+yourpassword (without plus-:) would be great to have (like professional token have).
regards max
-
Hi max,
I talked to the developer of the motp script. He told me that almost nobody uses offset because most devices change their timezone automatically. Further he agreed with me that the script wasn't tested with negative offset values.
Like you told me in some older posts it looks like it is enough to change the "sed" command. I did this in this comment and it should now be available for everyone:
https://github.com/pfsense/pfsense-packages/commit/355ebce27aeb941f949f26f9c70d08150f37a7dbYour suggestion about "more" security:
The "youpassword" part is the PIN. A different PIN on the mobile device will generate a different OTP. So there is no difference between professional tokes and this. The only difference is that freeradius server does not offer a possibility for the user to change its PIN on his own.If you are using a mysql database as user store - instead of the users file - then you can code a php or HTML page which allows a user to change its PIN or his own.
But of course - if you have any suggestions and patches - please commit them. Every improvement is appreciated :)
-
Hi Nachtfalke,
thank you very much for add this in the package.
My suggestion was to extend the 'password' so it is not possible to know how long it is. I idea was to use the password field and if there is a password and otp configured use both.
If it is not possible don't worry
regards max
-
I know what you mean. I thought about that in the past but I didn't found a way to do so. The problem for me was that the variables/passwords are passing so many scripts and files and I didn't know how to realize that. This is probably more a problem of my poor coding skills than something else ;-)
Another "limitation" is that most mobile OTP generators just use the first 6 characters as password. FreeRADIUS allows to select you a higher range of used characters but then you must have a possibility on the client OTP generator to change this.
freeradius –> settings --> Token Password length
-
Hi nachtfalke,
i made some extension so i am able to handle the combination of mOtp+Userpassword. (without + :-)
It works with a cleartext + md5 password.If you want to give it a try…
Be careful you have to set the OTP length from 1-6 to only 6!!(Descript in Webif, Maybe the default setting have to adapt to 6 only)regards
-
file seems to be corrupted. 43kb is to small when including the complete freeradius.inc.
Please pay attention:
the "OTP length from 1-6" does not mean you can use 1 or 2 or 6 characters it means it uses the first until the 6th character.
if you type 10-12 it uses the 10th till 12th character of the hash which was build.
