Regression #13356
closed
RADIUS authentication attempts no longer send RADIUS NAS IP attribute
Added by Alastair Burr over 2 years ago.
Updated almost 2 years ago.
Plus Target Version:
23.01
Affected Architecture:
All
Description
After upgrading to pfSense Plus 22.05, the RADIUS NAS IP Attribute setting is no longer sent to the RADIUS server.
I tracked this down to the changes in commit 7c2468c510ea7da6f284a7afad7f62c6c9880717 where the attribute is read from the wrong config, e.g.
in: src/etc/inc/auth.inc
$nasip = nasip_fallback($acctcfg['radius_nasip_attribute']);
which should be:
$nasip = nasip_fallback($authcfg['radius_nasip_attribute']);
as per this link to where this was seemingly introduced:
https://github.com/pfsense/pfsense/commit/7c2468c510ea7da6f284a7afad7f62c6c9880717#diff-396999417cbe304fa6006c47b6af9eac17625cbcf0bf915501f2b14e69706f99R1768
Manually modifying this file with this correction instantly resolved my issue. I suggest this is corrected for the next patch.
We use this attribute for determining the policy applied on our RADIUS server, so without this patch all RADIUS authentication failed.
I'm curious what those contain - you can dump them to the system log by adding:
log_error(print_r($acctcfg, true));
log_error(print_r($authcfg, true));
As requested, I added in the following (to ensure I could see the separation):
log_error("acctcfg contents");
log_error(print_r($acctcfg, true));
log_error("authcfg contents");
log_error(print_r($authcfg, true));
which output the following:
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: acctcfg contents
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php:
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: authcfg contents
Jul 14 17:48:29 victory openvpn[98003]: openvpn.auth-user.php: Array
Jul 14 17:48:29 victory openvpn[98003]: (
Jul 14 17:48:29 victory openvpn[98003]: [refid] => 5b39f34604613
Jul 14 17:48:29 victory openvpn[98003]: [type] => radius
Jul 14 17:48:29 victory openvpn[98003]: [name] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]: [radius_protocol] => MSCHAPv2
Jul 14 17:48:29 victory openvpn[98003]: [host] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]: [radius_secret] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]: [radius_timeout] => 5
Jul 14 17:48:29 victory openvpn[98003]: [radius_auth_port] => 1812
Jul 14 17:48:29 victory openvpn[98003]: [radius_acct_port] => 1813
Jul 14 17:48:29 victory openvpn[98003]: [radius_nasip_attribute] => <REDACTED>
Jul 14 17:48:29 victory openvpn[98003]: )
So it looks like $acctcfg was completely empty, and for info there were no references to $acctcfg at all in the auth.inc except the one line which I changed as above
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Target version set to 2.7.0
- Plus Target Version set to 22.11
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
- Status changed from Feedback to Resolved
Tested:
2.7.0-DEVELOPMENT (amd64)
built on Thu Jul 21 06:14:01 UTC 2022
FreeBSD 12.3-STABLE
It works fine. I am marking this ticket as resolved.
- Has duplicate Bug #13379: OpenVPN RADIUS wrong NAS IP added
- Has duplicate Bug #13528: pfSense sends wrong NAS-IP-Address to RADIUS server added
- Plus Target Version changed from 22.11 to 23.01
- Tracker changed from Bug to Regression
- Subject changed from RADIUS NAS IP Attribute no longer sent due to attribute read from wrong config in auth.inc to RADIUS authentication attempts no longer send RADIUS NAS IP attribute
Updating subject for release notes.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by