Bug #10197
closed
freeRADIUS virtual-server-default: modules daily, weekly, monthly, forever in authorize section prevent virtual server from loading
100%
Description
When using freeRADIUS 3 package with mysql enabled for accounting only and using pfsense gui for users/authorization, the generated virtual-server-default file (/usr/local/etc/raddb/sites-enabled/default) authorize section looks like:
authorize {
# filter_username
# filter_password
preprocess
# operator-name
# cui
##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####
# auth_log
chap
mschap
digest
# wimax
# IPASS
suffix
ntdomain
eap {
ok = return
# updated = return
}
# unix
files
### sql DISABLED ###
daily
weekly
monthly
forever
# smbpasswd
### ldap ###
# Formerly checkval
if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
ok
}
expiration
logintime
pap
Autz-Type Status-Server {
}
}
I believe since I am not using mysql for authorization, the daily, weekly, monthly, and forever modules are failing to load and causing the virtual server to fail to load. Relevant system log lines:
Jan 22 00:05:00 radiusd 16279 Failed to load virtual server default
Jan 22 00:05:00 radiusd 16279 /usr/local/etc/raddb/sites-enabled/default[24]: Errors parsing authorize section.
Jan 22 00:05:00 radiusd 16279 /usr/local/etc/raddb/sites-enabled/default[46]: Please verify that the configuration exists in /usr/local/etc/raddb/mods-enabled/daily.
Jan 22 00:05:00 radiusd 16279 /usr/local/etc/raddb/sites-enabled/default[46]: Failed to find "daily" as a module or policy.
Manually changing the authorize section in /usr/local/etc/raddb/sites-enabled/default as below fixes the problem (the modules are ignored and everything seems to work):
authorize {
..............
### sql DISABLED ###
-daily
-weekly
-monthly
-forever
# smbpasswd
### ldap ###
...............
}
I believe prepending the '-' causing the modules to only be loaded if they are configured. This should probably be how they are generated by the webconfigurator.
Thanks in advance for looking into this, you all do amazing work!
Related issues
Updated by Viktor Gurov about 4 years ago
That's correct, see https://fossies.org/linux/freeradius-server/raddb/mods-available/README.rst:
_Conditional Modules
Version 3 allows modules to be conditionally loaded. This is useful when you want to have a virtual server which references a module, but does not require it. Instead of editing the virtual server file, you can just conditionally enable the module.
Modules are conditionally enabled by adding a "-" before their name in a virtual server._
Updated by Jim Pingle about 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho about 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov about 4 years ago
- Status changed from Feedback to Resolved
tested on 2.4.5.a.20200124.0853 with freeradius3 0.15.7_10
works as expected
Updated by Viktor Gurov about 2 years ago
- Related to Bug #12742: freeRADIUS virtual-server-default: modules dailycounter, monthlycounter, noresetcounter, expire_on_login in authorize section prevent virtual server from loading added