Project

General

Profile

Actions

Bug #14179

open

FreeRadius is active but in an inoperable state, switches to a generated freeradius-temp certificate upon restart

Added by name name about 1 year ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
FreeRADIUS
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
23.01
Affected Architecture:

Description

I was testing my HA setup yesterday evening and used the "Enter Persistent CARP Maintenance Mode" button quite a few times.

Afterwards I noticed that neither WLAN nor OpenVPN connections were working. The WLAN access points and OpenVPN server were up. FreeRadius was running.

This was in the logs:

Ignoring request to auth address 10.0.59.1 port 1812 bound to server default from unknown client 10.0.59.51 port 52957 proto udp

Login incorrect (Failed retrieving values required to evaluate condition): [<user>] (from client pfsense port <openvpn-port> cli <client-ip>:<openvpn-port>) User=<user>,Called-Station-Id=<mac-address>:<pfsense-dns-name>,Calling-Station-Id=<client-ip>:<openvpn-port>,NAS-IP-Address=10.0.1.2,NAS-Port=<openvpn-port>,NAS-Identifier=openVPN,NAS-Port-Type=Virtual,Client-IP-Address=127.0.0.1

The first entry was one of many connection attempts of one of my access points to the FreeRadius server listening on 10.0.59.1. The client is configured, as it has been for years.

The second was from an OpenVPN connection attempt.

After restarting FreeRadius - without any configuration change - I tried connecting to my WLAN again. It then showed me I was supposed to accept a freeradius-temp certificate, which seems to have been freshly generated with 10 year lifetime. I went back into the configuration, changed the EAP "SSL Server Certificate" to another one, saved, changed it back to my previously configured one, hit save again.

Now both WLAN and OpenVPN were connecting just fine.

Actions #1

Updated by Jim Pingle about 1 year ago

  • Project changed from pfSense Plus to pfSense Packages
  • Category changed from Authentication to FreeRADIUS
  • Release Notes deleted (Default)
Actions #2

Updated by name name 12 months ago

Okay, now I've run into it again and discovered the following:

If the firewall has internet connectivity during config restore, it will automatically reinstall all packages.

After the initial reboot due to config restore, I can see that the FreeRadius configuration is present and everything looks fine.

However, after the freeradius package has been reinstalled, the FreeRadius configuration is EMPTY!

I can see that in the Config History.

"Intermediate config write during package install for freeradius3": Removes all of the following xml objects:

<freeradiusinterfaces>
    . . .
<freeradiusclients>
    . . .
<freeradiussettings>
    . . .
<freeradiuseapconf>
    . . .
<freeradius>
    . . .

The next history entry is "Intermediate config write during package removal for cellular":

It adds a new temporary <ca> and <cert> object for FreeRadius.

Aside from the basic config entries in

<installedpackages><package>...
<menu>...
<service>...

it only adds the following FreeRadius configuration back in:

+        <freeradiuseapconf>
+            <config>
+                <ssl_ca_cert>643c0363cface</ssl_ca_cert>
+                <ssl_server_cert>643c0363ea0b1</ssl_server_cert>
+            </config>
+        </freeradiuseapconf>

All packages are up to date on pfSense+-23.01, the FreeRadius configuration is originally from pfSense-CE-2.6.0 and was updated by importing it into a fresh pfSense+-23.01 installation.

So essentially: Package reinstallation of freeradius3 destroys my entire FreeRadius configuration and is consequently inoperable afterwards.

The only solution I've found so far is to ensure that the firewall can't reinstall the packages due to disconnected internet. Then the config restore process does everything right, the FreeRadius configuration is present and works.

Could somebody please look into it?

Actions #3

Updated by name name 12 months ago

So after reading through the source code I found something that I thought was strange to even exist:

    /* Remove package settings from config if 'Keep Settings' is disabled */
    if (!config_path_enabled('installedpackages/freeradiussettings/config/0/', 'keep_settings')) {

Checking my configuration file, I found that no

<keep_settings>on</keep_settings>

was present in freeradiussettings -> config.

After adding it manually and restoring that modified configuration file everything was preserved during package reinstall.

The inital bug report is something that might be broken alongside this, but it seems there is a bug somewhere that causes old configurations without keep_settings present to not get it added during upgrade, so that on pfSense+-23.01 the package reinstall wipes the configuration.

Actions #4

Updated by Chris W 11 months ago

Steps taken to reproduce:
1. Install FreeRadius package into a virtual machine of 23.01
2. Configure FreeRadius with an interface and a client
3. Take a backup from Diagnostics > Backup & Restore.
4. Reset the VM to a state before FreeRadius was installed
5. Import the configuration exported in Step 3. VM is connected to the internet
6. PfSense reboots and when I log in to the dashboard again, there's a notification saying packages (only FreeRadius) were installed successfully.

With these steps, I was unable to reproduce the issue. However the exported configuration from the steps above doesn't contain the <freeradiussettings> </freeradiussettings> XML block, thus doesn't contain <keep_settings>on</keep_settings>. It's not exported in the configuration file until you click Save in Services > FreeRadius > Settings. You don't even need to change anything, just go to the page and click the Save button at the bottom, and now FreeRadius settings block is present. And for what it's worth, if changes are made on the Settings page, the XML block is still present after reverting them.

So at least from a default installation of 23.01 (and 22.05), the potential issue is that the XML block isn't present unless that Settings page is touched. This doesn't appear to be a problem in and of itself since I wasn't able to reproduce the exact behavior this bug was opened for, but I don't know if it's unintended or simply inconsequential from a development standpoint.

Is your configuration a product of having upgraded through several previous pfSense versions?

Actions #5

Updated by name name 11 months ago

Hi Chris,

thanks for looking into this.

Yes I upgraded from 2.6.0 and the original version was probably something like 2.4.x.

I haven't had time to look into it again, but my current guess is, that something wasn't migrated right between pfSense config versions.

My original bug report was from the same config, but when I first set everything up, I built a new VM with 23.01, i.e. 2.6.0 -> 23.01, so I had a template, then restored the 2.6.0 config in 23.01. During reboot there was no internet connectivity, so the FreeRadius package didn't reinstall, meaning the config sections for FreeRadius were intact.

During my initial test of the HA setup, FreeRadius was verified running correctly with the correct config, I switched between CARP master/slave and found myself with a new certificate for FreeRadius all of a sudden.

The configuration however was still present in pfSense. As described I changed the certificate to something else, then back to the original one, restarted FreeRadius and everything was fine.

So there are two bugs:

1. Initial bug: Configuration in pfSense xml remains unchanged, but the running instance of FreeRadius suddenly has the wrong certificate (and perhaps wrong running configuration) due to HA switchover. For some reason the running config of FreeRadius became a new one, but upon pressing Save in pfSense UI it restarted with the correct config from the pfsense xml.

2. Second bug: Package reinstall of FreeRadius, if the config was migrated and originates from an earlier pfSense version, causes the wipe of the entire FreeRadius configuration and saves an initial (more or less empty) one instead.

Actions

Also available in: Atom PDF