Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NEW Package: freeRADIUS 2.x

    Scheduled Pinned Locked Moved pfSense Packages
    628 Posts 80 Posters 924.3k Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      Nachtfalke
      last edited by

      you need to run freeradius in debug mode to get all output of errors and warnings.
      Did you try tu run freeradius with this command:

      radiusd -X
      

      Please make sure you killed the running radiusd process before starting again in debug mode.

      1 Reply Last reply Reply Quote 0
      • 2 Offline
        2devnull
        last edited by

        yes, did radiusd -X and radiusd -XX

        1 Reply Last reply Reply Quote 0
        • Q Offline
          qbik
          last edited by

          Hi,
          I have installed this package with MySQL on the same server and is working ok. I need to run a php script to reconnect users if the server restarts, if I execute it manually it work, but I want to run it on sratup after Radius and Mysql have start, where in /usr/local/pkg/freeradius.inc would a call to the function go?

          Thanks for your help

          1 Reply Last reply Reply Quote 0
          • N Offline
            Nachtfalke
            last edited by

            Unfortunately there are many places and situation when freeradius needs to restart the service so that changes will take effect. So in general freeradius restarts everywhere where this line can be found:

            restart_service('radiusd')
            

            On line 1292 the ySQL configuration of freeradius will be loaded and freeradius restarted.

            Perhaps doing a cron job which runs periodically and executes your script can do the job? Not sure what you script does and if it hurts if it runs every minute or so.

            1 Reply Last reply Reply Quote 0
            • Q Offline
              qbik
              last edited by

              Thanks for the info Nachtfalke. Basically what I need to do is not to stop the accounting of users connected via the captive portal so that when a reboot occurs users do not have to reauthenticate. I have disabled the accounting stop and when rebooted freeradius just continues to count for some seconds, but the problem is that the firewall rules were not created and therefore the user goes back to blocked by the oprtal. I don't know if my best bet is no rewrite the captiveportal db from mysql and then restart accounting for those users or some other way.

              Now if I call my function on line 1292 I get error:

              
              radiusd[20265]: rlm_sql_mysql: Couldn't connect socket to MySQL server rednet@localhost:radius
              radiusd[20265]: rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)'
              
              

              Thanks for your help.

              1 Reply Last reply Reply Quote 0
              • K Offline
                klokslag
                last edited by

                Hi all,

                I read the entire topic, because i wanna use Freeradius to authenticate against AD.
                In the topic there are suggestions to make it possible via the gui.

                My question is. Is it now possible to authencate against AD without the tweaking?
                Or do i have to use the tutorial from MatSim (Nachtfalke, marcelloc)

                Thanx in advance.

                1 Reply Last reply Reply Quote 0
                • N Offline
                  Nachtfalke
                  last edited by

                  @klokslag:

                  Hi all,

                  I read the entire topic, because i wanna use Freeradius to authenticate against AD.
                  In the topic there are suggestions to make it possible via the gui.

                  My question is. Is it now possible to authencate against AD without the tweaking?
                  Or do i have to use the tutorial from MatSim (Nachtfalke, marcelloc)

                  Thanx in advance.

                  Unfortunately my last info is that it does not work without any tweaks and only with GUI.
                  I do not know which topic/tutorial you mean but probably it is the correct one ;-)

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    klokslag
                    last edited by

                    @Nachtfalke:

                    Unfortunately my last info is that it does not work without any tweaks and only with GUI.
                    I do not know which topic/tutorial you mean but probably it is the correct one ;-)

                    NachtFalke,

                    Thanx for your reply. I meant the post of MatSim in this topic.
                    I hope still that in the near feature someone can make the solution.
                    I can be probely help with testing:)
                    At this moment I will try MatSim his tutorial.

                    @MatSim:

                    I have shortened and rewritten what I took out of the FreeRADIUS beginners guide and put that in a Google doc to check if I am on the wrong way.  This is a very much WiP and also a temporary place:
                    https://docs.google.com/document/d/1i536CfITm478tAddzoxSLrjl9KcEqGGA-F_LG9Iwy6A/edit
                    With ntlm_auth it's possible to add a AD group requirement haven't tried that yet.

                    I'd also agree with marcelloc that it's not the best idea to pull in Samba automatically by freeradius since it's only needed when ntlm_auth comes into the game.

                    P.S: Nifty idea I came across - any plans to support virtual servers on pfSense with freeradius instead of default sites-enabled/default?

                    1 Reply Last reply Reply Quote 0
                    • R Offline
                      rbackes
                      last edited by

                      Hi Nachtfalke,

                      would it be possible for you to compile a radius version with eDIr Support? Just add the WITH_eDIR Option when compiling.

                      Thanks

                      Rainer

                      1 Reply Last reply Reply Quote 0
                      • N Offline
                        Nachtfalke
                        last edited by

                        @rbackes:

                        Hi Nachtfalke,

                        would it be possible for you to compile a radius version with eDIr Support? Just add the WITH_eDIR Option when compiling.

                        Thanks

                        Rainer

                        Hallo Rainer,

                        unfortunately I was never familar with these compile option syntax on pfsense github. There were always other people who added these parameters (for me)  :P. So if you are more familar with that then just add your option to these two files on github:

                        https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.8.xml
                        https://github.com/pfsense/pfsense-packages/blob/master/pkg_config.8.xml.amd64

                        Then contact a moderator - as far as I know jimp could be the right person - to compile a new freeradius package.

                        PS: I cannot do any tests on this package anymore nor can I add further features because I left my old company and the new one is not really open for open source products so probably no pfsense for me anymore the next time  :-\

                        So if anybody else likes to maintain this package please feel free to do so!

                        Good luck!

                        1 Reply Last reply Reply Quote 0
                        • C Offline
                          cheonne
                          last edited by

                          freeradius 3 is available.
                          hopefully someone will continue this package.

                          1 Reply Last reply Reply Quote 0
                          • M Offline
                            michaelschefczyk
                            last edited by

                            Dear Package Developers & Experts,

                            please consider, if the settings unter "EAP" and then "CERTIFICATES FOR TLS" do work as intended in the freeradius2, 2.1.12_1/2.2.4 pkg v. 1.6.7_3 package. My aim is to use EAP-TLS.

                            The settings suggest that one can choose between the FreeRADIUS Cert-Manager (not recommended) and Firewall Cert-Manager (recommended). To use the recommended variant, one has to check the box in "Choose Cert-Manager". As indicated, the Firewall Cert-Manager generates certificates with no private key passwords. Correspondingly, the instructions on "Private Key Password" are "… The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty.". However, the eap.conf file - as far as I can tell - always contains either the password that one does actively enter into the field or the default password (private_key_password = whatever). I think that a configuration with an empty password cannot be generated. With a private_key_password set to anything or "whatever" or at least not nothing at all, the configuration does not seem to work with keyless certificates of the Firewall Cert-Manager. What happens if it does not work is described in more detail under https://forum.pfsense.org/index.php?topic=78684.msg429199#msg429199.

                            Regards,

                            Michael Schefczyk

                            1 Reply Last reply Reply Quote 0
                            • N Offline
                              Nachtfalke
                              last edited by

                              Hi,

                              try to modify the line 899 from this:

                              $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'whatever');
                              

                              to this:

                              $vareapconfprivatekeypassword = ($eapconf['vareapconfprivatekeypassword']?$eapconf['vareapconfprivatekeypassword']:'');
                              

                              Then try again with an empty field on the freeradius EAP GUI.
                              If it works - consider making a change on github.

                              1 Reply Last reply Reply Quote 0
                              • M Offline
                                michaelschefczyk
                                last edited by

                                Dear Nachtfalke,

                                Thank you very much! I am generally able to edit files on the pfSense server using Diagnostics->edit file or via ssh. I can also see the freeradius.inc-file on github. However, I lack the skills required to connect both sides. In particular, I did have a hard time locating the file to be edited on the pfsense server, if this is what you imply. I assume that it may be in /user/pbi/freeradius-amd64, however, there is a large directory structure with many files there. Could you plese tell me where to find the file in question?

                                Regards,

                                Michael Schefczyk

                                1 Reply Last reply Reply Quote 0
                                • A Offline
                                  athurdent
                                  last edited by

                                  Hi Nachtfalke,

                                  do you have plans to make freeradius2 work on 2.2? Sadly it still refuses to start with the following output, I just updated my system to the latest Alpha release.

                                  Jul 8 11:18:27	root: /usr/pbi/freeradius-amd64/etc/rc.d/radiusd: WARNING: /usr/local/etc/raddb is not a directory.
                                  Jul 8 11:18:27	root: /usr/pbi/freeradius-amd64/etc/rc.d/radiusd: WARNING: failed precmd routine for radiusd
                                  
                                  1 Reply Last reply Reply Quote 0
                                  • N Offline
                                    Nachtfalke
                                    last edited by

                                    @michaelschefczyk

                                    You can go to shell a do a search for the files you are looking for like this:

                                    
                                    find / -iname "*freeradius*"
                                    
                                    

                                    This shows you all files which contain "freeradius" within with any letters before or behind.
                                    The file you are looking for is "freeradius.inc" You will find this file here:

                                    
                                    /usr/local/pkg/
                                    
                                    

                                    @athurdent
                                    I left my old company more than 6 months ago and the new company does not use pfsense nor are there plans to do so  :(
                                    So I personally will not do any changes on this package anymore but everyone who is able to do so and has time please feel free to do it!

                                    I only built this package in the past because I needed it and I had the hardware to test all or most of these features in my environment.

                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      michaelschefczyk
                                      last edited by

                                      Dear Nachtfalke, dear all,

                                      It turns out that a change in freeradius.inc is not required to solve the underlying problem.

                                      The real cause is that the CRL does not work, when using the pfsense cert manager with freeradius. The CRL stays – unlike all my other CRLs on the machine – marked as not in use (“NO” in the “In Use” column) while selected in the freeradius package. This does not depend on the CRL beeing empty or containing at least one certificate. If one selects “none” for “SSL Revocation List”, things (including advanced features, such as VLAN ID assignment per user) do work, albeit without a CRL.

                                      Beyond that, I did notice the following issues with EAP-TLS – comments would be appreciated a lot:

                                      • The end user device connecting needs to provide an identity which is equivalent to the client certificate CN and the freeradius user name. The identity can be typed in at most end user devices, e.g, Android. Other identities cannot be spoofed, I think. But without the identity (i.e., if the user leaves it blank), the items listed for the user (e.g., VLAN ID) will not apply. Hence, if certain VLANs are giving escalated rights, they should not be made the default VLAN. Given the issues below, if one seriously wants to use the items specified per user, one will probably need to assign a mute VLAN as default to avoid the user getting access without specifying the identity – not an elegant solution.

                                      • Without a CRL it is difficult to block users, once they are in possession of a certificate. It seems that only user settings can prevent a user from being authenticated. That is problematic given the previous comment. I had no luck adding “DEFAULT Auth-Type = Reject” to the “Additional RADIUS Attributes on the TOP” field or similar attempts.

                                      • Assuming that the end user has control of the certificate, i.e., he has the file and knows the install password, if applicable, it would be nice to be able to limit the certificate / user to a set of devices identified by MAC addresses. Limiting a user to one device works by adding “Calling-Station-Id := AA-BB-CC-DD-EE-FF” to “Additional RADIUS Attributes (CHECK-ITEM)”. What I did not manage is to specify a set of IPs permissible either for an individual user or for all users at large.

                                      I would like to thank Nachtfalke very much for his contributions. I hope that the package freeradius will not disappear in future versions of pfsense despite Nachtfalke’s departure from the package!

                                      Regards,

                                      Michael Schefczyk

                                      1 Reply Last reply Reply Quote 0
                                      • K Offline
                                        kallegr
                                        last edited by

                                        Now, one year later: Is Active Directory Authentication working via GUI-Configuration out of the box?

                                        or do i still need to install a selfcompiled samba package and tweak?

                                        @Nachtfalke:

                                        @klokslag:

                                        Hi all,

                                        I read the entire topic, because i wanna use Freeradius to authenticate against AD.
                                        In the topic there are suggestions to make it possible via the gui.

                                        My question is. Is it now possible to authencate against AD without the tweaking?
                                        Or do i have to use the tutorial from MatSim (Nachtfalke, marcelloc)

                                        Thanx in advance.

                                        Unfortunately my last info is that it does not work without any tweaks and only with GUI.
                                        I do not know which topic/tutorial you mean but probably it is the correct one ;-)

                                        1 Reply Last reply Reply Quote 0
                                        • U Offline
                                          unixaccent
                                          last edited by

                                          Hi zlyzwy;
                                          Hi Nachtfalke;
                                          Hi Everyone;
                                          Your conversation on the following thread makes my learning curve easier.
                                          https://forum.pfsense.org/index.php?topic=43675.msg235475#msg235475
                                          I want to thank you both for this.
                                          I hope I am not asking too much. I have a question about how to setup sqlcounter in reference to zlyzwy and if I understand it right, the setup is "pfsense+freeradius" + "external databse." Its like after connecting "pfsense+freeradius" to "external database", all accounting stuffs will be logged to the "radacct" table of the external database. I wonder how to setup the counter in pfsense box and how does pfsense send a "disconnect message" if a user has reached a quota like the "download size" in a day or "maximum session" in a day.
                                          Regards;

                                          1 Reply Last reply Reply Quote 0
                                          • J Offline
                                            jetberrocal
                                            last edited by

                                            @Nachtfalke:

                                            Updates pkg v1.4.3:

                                            • Added: GUI to configure FreeRADIUS2 with LDAP. This will only work if we can use the new binaries.

                                            • Updated: FreeRADIUS 2.x package documentation on http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package

                                            Reference Version: pfsense 2.1.5 Freeradius 2.2.5_3 pkg v1.6.11

                                            I think there is a misunderstanding on LDAP Authorization and Authentication.  When I uncheck "Enable LDAP For Authorization", the General Configuration fields are disabled and emptied.  Without this values the Authentication does not know how to connect to LDAP, so it fails.  The way is working in my reference Version, you have to Authorize to be able to Authenticate, and that is not correct for all the cases.

                                            I had to modify manually the sites-enable file in order to disable LDAP Authorize for my configuration to work correctly.  If you want, follow the freeradius user mailing list for the detail in my situation.

                                            http://freeradius.1045715.n5.nabble.com/Authenticating-users-on-LDAP-based-on-Group-name-td5732701i20.html

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.