Project

General

Profile

Bug #10197

freeRADIUS virtual-server-default: modules daily, weekly, monthly, forever in authorize section prevent virtual server from loading

Added by Michael Lazernik 29 days ago. Updated 26 days ago.

Status:
Resolved
Priority:
Normal
Category:
FreeRADIUS
Target version:
-
Start date:
01/22/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
All

Description

When using freeRADIUS 3 package with mysql enabled for accounting only and using pfsense gui for users/authorization, the generated virtual-server-default file (/usr/local/etc/raddb/sites-enabled/default) authorize section looks like:

authorize {
#    filter_username
#    filter_password
    preprocess
#    operator-name
#    cui
##### AUTHORIZE FOR PLAIN MAC-AUTH IS DISABLED #####
#    auth_log
    chap
    mschap
    digest
#    wimax
#    IPASS
    suffix
    ntdomain
    eap {
        ok = return
#        updated = return
    }
#    unix
    files
    ### sql DISABLED ###
    daily
    weekly
    monthly
    forever
#    smbpasswd
### ldap ###
    # Formerly checkval
    if (&request:Calling-Station-Id == &control:Calling-Station-Id) {
        ok
    }
    expiration
    logintime
    pap
    Autz-Type Status-Server {

    }
}

I believe since I am not using mysql for authorization, the daily, weekly, monthly, and forever modules are failing to load and causing the virtual server to fail to load. Relevant system log lines:
Jan 22 00:05:00    radiusd    16279    Failed to load virtual server default
Jan 22 00:05:00    radiusd    16279    /usr/local/etc/raddb/sites-enabled/default[24]: Errors parsing authorize section.
Jan 22 00:05:00    radiusd    16279    /usr/local/etc/raddb/sites-enabled/default[46]: Please verify that the configuration exists in /usr/local/etc/raddb/mods-enabled/daily.
Jan 22 00:05:00    radiusd    16279    /usr/local/etc/raddb/sites-enabled/default[46]: Failed to find "daily" as a module or policy.

Manually changing the authorize section in /usr/local/etc/raddb/sites-enabled/default as below fixes the problem (the modules are ignored and everything seems to work):
authorize {
..............
    ### sql DISABLED ###
    -daily
    -weekly
    -monthly
    -forever
#    smbpasswd
### ldap ###
...............
}

I believe prepending the '-' causing the modules to only be loaded if they are configured. This should probably be how they are generated by the webconfigurator.

Thanks in advance for looking into this, you all do amazing work!

History

#1 Updated by Viktor Gurov 28 days ago

That's correct, see https://fossies.org/linux/freeradius-server/raddb/mods-available/README.rst:

_Conditional Modules
Version 3 allows modules to be conditionally loaded. This is useful when you want to have a virtual server which references a module, but does not require it. Instead of editing the virtual server file, you can just conditionally enable the module.

Modules are conditionally enabled by adding a "-" before their name in a virtual server._

fix: https://github.com/pfsense/FreeBSD-ports/pull/753

#2 Updated by Jim Pingle 27 days ago

  • Status changed from New to Pull Request Review

#3 Updated by Renato Botelho 27 days ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#4 Updated by Viktor Gurov 26 days ago

  • Status changed from Feedback to Resolved

tested on 2.4.5.a.20200124.0853 with freeradius3 0.15.7_10

works as expected

Also available in: Atom PDF