Regression #13356
closedRADIUS authentication attempts no longer send RADIUS NAS IP attribute
100%
Description
After upgrading to pfSense Plus 22.05, the RADIUS NAS IP Attribute setting is no longer sent to the RADIUS server.
I tracked this down to the changes in commit 7c2468c510ea7da6f284a7afad7f62c6c9880717 where the attribute is read from the wrong config, e.g.
in: src/etc/inc/auth.inc
$nasip = nasip_fallback($acctcfg['radius_nasip_attribute']);
which should be:
$nasip = nasip_fallback($authcfg['radius_nasip_attribute']);
as per this link to where this was seemingly introduced: https://github.com/pfsense/pfsense/commit/7c2468c510ea7da6f284a7afad7f62c6c9880717#diff-396999417cbe304fa6006c47b6af9eac17625cbcf0bf915501f2b14e69706f99R1768
Manually modifying this file with this correction instantly resolved my issue. I suggest this is corrected for the next patch.
We use this attribute for determining the policy applied on our RADIUS server, so without this patch all RADIUS authentication failed.
Related issues
Updated by Marcos M over 2 years ago
I'm curious what those contain - you can dump them to the system log by adding:
log_error(print_r($acctcfg, true)); log_error(print_r($authcfg, true));
Updated by Alastair Burr over 2 years ago
As requested, I added in the following (to ensure I could see the separation):
log_error("acctcfg contents"); log_error(print_r($acctcfg, true)); log_error("authcfg contents"); log_error(print_r($authcfg, true));
which output the following:
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: acctcfg contents Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: authcfg contents Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: Array Jul 14 17:48:29 victory openvpn[98003]: ( Jul 14 17:48:29 victory openvpn[98003]: [refid] => 5b39f34604613 Jul 14 17:48:29 victory openvpn[98003]: [type] => radius Jul 14 17:48:29 victory openvpn[98003]: [name] => <REDACTED> Jul 14 17:48:29 victory openvpn[98003]: [radius_protocol] => MSCHAPv2 Jul 14 17:48:29 victory openvpn[98003]: [host] => <REDACTED> Jul 14 17:48:29 victory openvpn[98003]: [radius_secret] => <REDACTED> Jul 14 17:48:29 victory openvpn[98003]: [radius_timeout] => 5 Jul 14 17:48:29 victory openvpn[98003]: [radius_auth_port] => 1812 Jul 14 17:48:29 victory openvpn[98003]: [radius_acct_port] => 1813 Jul 14 17:48:29 victory openvpn[98003]: [radius_nasip_attribute] => <REDACTED> Jul 14 17:48:29 victory openvpn[98003]: )
So it looks like $acctcfg was completely empty, and for info there were no references to $acctcfg at all in the auth.inc except the one line which I changed as above
Updated by Marcos M over 2 years ago
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Target version set to 2.7.0
- Plus Target Version set to 22.11
Thank you for your looking into it!
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/834
Updated by Marcos M over 2 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset d7be34a7d766b06e13272a5b1904dba9f532e4cc.
Updated by Danilo Zrenjanin over 2 years ago
- Status changed from Feedback to Resolved
Tested:
2.7.0-DEVELOPMENT (amd64) built on Thu Jul 21 06:14:01 UTC 2022 FreeBSD 12.3-STABLE
It works fine. I am marking this ticket as resolved.
Updated by Marcos M over 2 years ago
- Has duplicate Bug #13379: OpenVPN RADIUS wrong NAS IP added
Updated by Marcos M about 2 years ago
- Has duplicate Bug #13528: pfSense sends wrong NAS-IP-Address to RADIUS server added
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle about 2 years ago
- Tracker changed from Bug to Regression
- Subject changed from RADIUS NAS IP Attribute no longer sent due to attribute read from wrong config in auth.inc to RADIUS authentication attempts no longer send RADIUS NAS IP attribute
Updating subject for release notes.