Project

General

Profile

Actions

Regression #13628

closed

pfSense - Feature #13446: Upgrade PHP from 7.4 to 8.1

FreeRADIUS Users cleared out each time a user is add, removed, or modified

Added by Gerke Max Preussner 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
FreeRADIUS
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Affected Version:
2.7.0
Affected Plus Version:
23.01
Affected Architecture:
All

Description

After upgrading from Stable to Development I noticed that my RADIUS authentication was broken. I'm using a very basic setup with users being stored locally in a file and PAP; no SQL, LDAP, or VPN. The only complication is that I have a few VLANs.

I troubleshooted the problem for a while and found the following:

  • Each time a user is added, removed, or modified via Services > FreeRADIUS > Users , the /usr/local/etc/raddb/mods-config/files/authorize file is cleared and not repopulated
  • When a user is attempting a login, radiusd cannot find the last good known password, because there are no users in the local database; it doesn't set Auth-Type , and the login fails in post-auth
  • Naturally, tests via Diagnostics > Authentication also fail, and pfSense web admin logins fail and fall back to the local database
  • If I manually add the user to the local database file, authentication works fine like before
  • Simply stopping and restarting the services via GUI or console does not clear the user database

I'm not familiar with how the GUI wrapper in pfSense works, but it seems to me that the user configuration is no longer written correctly.

My server is on:
2.7.0-DEVELOPMENT (amd64)
built on Thu Nov 03 06:04:43 UTC 2022
FreeBSD 14.0-CURRENT


Files

clipboard-202211060955-iycul.png (31.7 KB) clipboard-202211060955-iycul.png aleksei prokofiev, 11/06/2022 01:55 AM
clipboard-202211060955-ed4ap.png (29.3 KB) clipboard-202211060955-ed4ap.png aleksei prokofiev, 11/06/2022 01:55 AM
freeradius.patch (24.5 KB) freeradius.patch Marcos M, 12/06/2022 01:39 PM

Related issues

Related to Bug #13653: FreeRadius package 0.15.8_1 on 23.01 doesn't write user's info to /usr/local/etc/raddb/users file.Duplicate

Actions
Related to Regression #13631: FreeRADIUS fails to authenticate usersDuplicate

Actions
Actions #1

Updated by Gerke Max Preussner 3 months ago

My freeradius3 package is on 0.15.8_1

Actions #2

Updated by Gerke Max Preussner 3 months ago

Other package dependencies:

bash-5.2.2_1
freeradius3-3.0.25
python39-3.9.15 

Actions #3

Updated by aleksei prokofiev 3 months ago

Tested on
2.7.0-DEVELOPMENT (amd64)
built on Fri Nov 04 06:05:19 UTC 2022
FreeBSD 14.0-CURRENT

I can confirm that after add users, the file /usr/local/etc/raddb/mods-config/files/authorize is empty

Actions #4

Updated by Gerke Max Preussner 3 months ago

I noticed that the file can also get wiped without touching the RADIUS users at all. I haven't figured out yet how this happens - it could be when rebooting pfSense. I'll try to look into this some more later this week.

Another, perhaps important observation is that the RADIUS user list in the GUI always remains intact. Apparently it is persisted elsewhere, but not written out into the RADIUS configuration.

Actions #5

Updated by Lev Prokofev 3 months ago

  • Related to Bug #13653: FreeRadius package 0.15.8_1 on 23.01 doesn't write user's info to /usr/local/etc/raddb/users file. added
  • Related to Regression #13631: FreeRADIUS fails to authenticate users added
Actions #6

Updated by Jim Pingle 3 months ago

  • Parent task set to #13446
Actions #7

Updated by Jim Pingle 3 months ago

Sounds like it might be the same root cause as #13642 (See the most recent note on there)

Actions #8

Updated by Marcos M about 2 months ago

  • File freeradius.patch freeradius.patch added
  • Tracker changed from Bug to Regression
  • Status changed from New to Pull Request Review
  • Assignee set to Marcos M
  • Target version set to 2.7.0
  • Plus Target Version set to 23.01
  • Affected Plus Version set to 23.01
  • Affected Architecture All added
  • Affected Architecture deleted (amd64)

https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/301

Copy/paste/apply attached patch (strip count 4).

Actions #9

Updated by Marcos M about 2 months ago

  • Status changed from Pull Request Review to Feedback

Merged.

Actions #10

Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved

Seems to be working OK on current snaps+package version. Users are listed in the GUI OK, I can modify them, and the users/authorize file has complete content before and after editing a user.

Actions #11

Updated by Jim Pingle about 2 months ago

  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF