Project

General

Profile

Actions

Regression #13356

closed

RADIUS authentication attempts no longer send RADIUS NAS IP attribute

Added by Alastair Burr over 2 years ago. Updated about 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Authentication
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
2.7.x
Affected Architecture:
All

Description

After upgrading to pfSense Plus 22.05, the RADIUS NAS IP Attribute setting is no longer sent to the RADIUS server.

I tracked this down to the changes in commit 7c2468c510ea7da6f284a7afad7f62c6c9880717 where the attribute is read from the wrong config, e.g.
in: src/etc/inc/auth.inc

$nasip = nasip_fallback($acctcfg['radius_nasip_attribute']);

which should be:

$nasip = nasip_fallback($authcfg['radius_nasip_attribute']);

as per this link to where this was seemingly introduced: https://github.com/pfsense/pfsense/commit/7c2468c510ea7da6f284a7afad7f62c6c9880717#diff-396999417cbe304fa6006c47b6af9eac17625cbcf0bf915501f2b14e69706f99R1768

Manually modifying this file with this correction instantly resolved my issue. I suggest this is corrected for the next patch.

We use this attribute for determining the policy applied on our RADIUS server, so without this patch all RADIUS authentication failed.


Related issues

Has duplicate Bug #13379: OpenVPN RADIUS wrong NAS IPDuplicate

Actions
Has duplicate Bug #13528: pfSense sends wrong NAS-IP-Address to RADIUS server Duplicate

Actions
Actions #1

Updated by Marcos M over 2 years ago

I'm curious what those contain - you can dump them to the system log by adding:

log_error(print_r($acctcfg, true));
log_error(print_r($authcfg, true));

Actions #2

Updated by Alastair Burr over 2 years ago

As requested, I added in the following (to ensure I could see the separation):

log_error("acctcfg contents");
log_error(print_r($acctcfg, true));
log_error("authcfg contents");
log_error(print_r($authcfg, true));

which output the following:

Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: acctcfg contents
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php:
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: authcfg contents
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: Array
Jul 14 17:48:29 victory openvpn[98003]: (
Jul 14 17:48:29 victory openvpn[98003]:     [refid] => 5b39f34604613
Jul 14 17:48:29 victory openvpn[98003]:     [type] => radius
Jul 14 17:48:29 victory openvpn[98003]:     [name] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]:     [radius_protocol] => MSCHAPv2
Jul 14 17:48:29 victory openvpn[98003]:     [host] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]:     [radius_secret] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]:     [radius_timeout] => 5
Jul 14 17:48:29 victory openvpn[98003]:     [radius_auth_port] => 1812
Jul 14 17:48:29 victory openvpn[98003]:     [radius_acct_port] => 1813
Jul 14 17:48:29 victory openvpn[98003]:     [radius_nasip_attribute] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]: )

So it looks like $acctcfg was completely empty, and for info there were no references to $acctcfg at all in the auth.inc except the one line which I changed as above

Actions #3

Updated by Marcos M over 2 years ago

  • Status changed from New to Pull Request Review
  • Assignee set to Marcos M
  • Target version set to 2.7.0
  • Plus Target Version set to 22.11
Actions #4

Updated by Marcos M over 2 years ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Danilo Zrenjanin over 2 years ago

  • Status changed from Feedback to Resolved

Tested:

2.7.0-DEVELOPMENT (amd64)
built on Thu Jul 21 06:14:01 UTC 2022
FreeBSD 12.3-STABLE

It works fine. I am marking this ticket as resolved.

Actions #6

Updated by Marcos M over 2 years ago

  • Has duplicate Bug #13379: OpenVPN RADIUS wrong NAS IP added
Actions #7

Updated by Marcos M about 2 years ago

  • Has duplicate Bug #13528: pfSense sends wrong NAS-IP-Address to RADIUS server added
Actions #8

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #9

Updated by Jim Pingle about 2 years ago

  • Tracker changed from Bug to Regression
  • Subject changed from RADIUS NAS IP Attribute no longer sent due to attribute read from wrong config in auth.inc to RADIUS authentication attempts no longer send RADIUS NAS IP attribute

Updating subject for release notes.

Actions

Also available in: Atom PDF