Project

General

Profile

Actions

Bug #11802

open

FreeRADIUS sync

Added by Michael Schefczyk about 3 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
04/12/2021
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

freeradius3 0.15.7_30 seems to have changed the XMLRPC Sync behavior in a recent update. This leads to the issue that - unlike before - interfaces configuration is now included in the sync with no way to disable that. If one uses Sync to align users across locations, this is not helpful, because the interface IPs in the secondary location(s) will be different. In addition, it sees that the settings under EAP -> Certificates for TLS are no longer synced correctly. Whenever I change a user in the primary location, I now - unlike before - need to manually restate the interfaces and the certificate information in the secondary location. It would be great, if syncing the interface IP configuration was optional and if certificate information was just left intact.

Actions #1

Updated by Cullen Trey about 3 years ago

Hello,

as an idea to solve the different wishes of pfSense users, one could make the sections configurable per sync ip.

Sync in FreeRadius has at least these two use cases:

1. Sync everything to the second ha pfSense node (mode now in 0.15.7_30)
2. Sync users to every pfSense router in our company network (mode before 0.15.7_30, because only users and clients were synced)

In order two solve all the issues, why not specify per sync IP, what is synced? Like

- All
- Users
- Clients
- Users + Clients
- …

I would only need, the option All and Users.

Actions #2

Updated by Alex Viper_Rus 8 months ago

The problem is relevant. It is impossible to use synchronization: the configuration of certificates on recipient nodes is constantly lost.

Actions #3

Updated by Yury Zaytsev 7 months ago

We're also hit by the same issue after pfSense upgrade, and that's pretty annoying. Our certificate configs are getting consistently busted. Please do implement exclusion of certificate settings from the sync. With interfaces, at least, we are able to add them all on the main router. Each certificate is proper to a single router though, so syncing those only makes sense in a very special setting (on hot standby).

Actions #4

Updated by Ansley Barnes 7 months ago

A checkbox list like the one under the system's High Availability setup interface would be ideal. This behavior change put a big project we were working on on hold.

Actions

Also available in: Atom PDF