Regression #13628
closedpfSense - Feature #13446: Upgrade PHP from 7.4 to 8.1
FreeRADIUS Users cleared out each time a user is add, removed, or modified
100%
Description
After upgrading from Stable to Development I noticed that my RADIUS authentication was broken. I'm using a very basic setup with users being stored locally in a file and PAP; no SQL, LDAP, or VPN. The only complication is that I have a few VLANs.
I troubleshooted the problem for a while and found the following:
- Each time a user is added, removed, or modified via Services > FreeRADIUS > Users , the
/usr/local/etc/raddb/mods-config/files/authorize
file is cleared and not repopulated - When a user is attempting a login, radiusd cannot find the last good known password, because there are no users in the local database; it doesn't set
Auth-Type
, and the login fails in post-auth - Naturally, tests via Diagnostics > Authentication also fail, and pfSense web admin logins fail and fall back to the local database
- If I manually add the user to the local database file, authentication works fine like before
- Simply stopping and restarting the services via GUI or console does not clear the user database
I'm not familiar with how the GUI wrapper in pfSense works, but it seems to me that the user configuration is no longer written correctly.
My server is on:
2.7.0-DEVELOPMENT (amd64)
built on Thu Nov 03 06:04:43 UTC 2022
FreeBSD 14.0-CURRENT
Files
Related issues
Updated by Gerke Max Preussner about 2 years ago
My freeradius3 package is on 0.15.8_1
Updated by Gerke Max Preussner about 2 years ago
Other package dependencies:
bash-5.2.2_1
freeradius3-3.0.25
python39-3.9.15
Updated by aleksei prokofiev about 2 years ago
- File clipboard-202211060955-iycul.png clipboard-202211060955-iycul.png added
- File clipboard-202211060955-ed4ap.png clipboard-202211060955-ed4ap.png added
Tested on
2.7.0-DEVELOPMENT (amd64)
built on Fri Nov 04 06:05:19 UTC 2022
FreeBSD 14.0-CURRENT
I can confirm that after add users, the file /usr/local/etc/raddb/mods-config/files/authorize is empty
Updated by Gerke Max Preussner about 2 years ago
I noticed that the file can also get wiped without touching the RADIUS users at all. I haven't figured out yet how this happens - it could be when rebooting pfSense. I'll try to look into this some more later this week.
Another, perhaps important observation is that the RADIUS user list in the GUI always remains intact. Apparently it is persisted elsewhere, but not written out into the RADIUS configuration.
Updated by Lev Prokofev about 2 years ago
- Related to Bug #13653: FreeRadius package 0.15.8_1 on 23.01 doesn't write user's info to /usr/local/etc/raddb/users file. added
- Related to Regression #13631: FreeRADIUS fails to authenticate users added
Updated by Jim Pingle about 2 years ago
Sounds like it might be the same root cause as #13642 (See the most recent note on there)
Updated by Marcos M almost 2 years ago
- File freeradius.patch freeradius.patch added
- Tracker changed from Bug to Regression
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Target version set to 2.7.0
- Plus Target Version set to 23.01
- Affected Plus Version set to 23.01
- Affected Architecture All added
- Affected Architecture deleted (
amd64)
https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/merge_requests/301
Copy/paste/apply attached patch (strip count 4).
Updated by Jim Pingle almost 2 years ago
- Status changed from Feedback to Resolved
Seems to be working OK on current snaps+package version. Users are listed in the GUI OK, I can modify them, and the users/authorize file has complete content before and after editing a user.