Regression #16863: RADIUS authentication fails when attribute contains an invalid ACL - pfSense Plus - pfSense bugtracker

Actions

Copy link

Regression #16863

open

RADIUS authentication fails when attribute contains an invalid ACL

Added by Quang Phan 3 days ago. Updated 3 days ago.

Status:

Feedback

Priority:

Normal

Assignee:

Marcos M

Category:

OpenVPN

Target version:

26.07

Start date:

Due date:

% Done:

Estimated time:

Release Notes:

Default

Affected Plus Version:

26.03

Affected Architecture:

All

Description

When I attempt to authenticate to my OpenVPN server configured to use a RADIUS backend, the authentication succeeds at the RADIUS level, but the pfSense openvpn.auth-user.php background script crashes and my VPN does not form. I observe that the client successfully passes the TLS handshake but hangs on PUSH_REQUEST until it times out. The OpenVPN client reports a user authentication error the the last message I see in the pfSense logs about OpenVPN is Peer Connection Initiated with [AF_INET]. This had no issues in pfSense version 25 and started when I upgraded to 26.03.1

Logs:

Crash report begins.  Anonymous machine information:

arm
16.0-CURRENT
FreeBSD 16.0-CURRENT #13 plus-RELENG_26_03_1-n256546-1d1bfd578383: Wed May 20 15:20:32 UTC 2026     root@pfsense-build-release-aarch64-2.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-Plus-snapshots-26_03_1-main/obj/armv7/wbqsxpHt/var/jenkins/workspac

Crash report details:

PHP Errors:
[30-May-2026 10:55:00 US/Eastern] PHP Fatal error:  Uncaught ArgumentCountError: 3 arguments are required, 2 given in /etc/inc/util.inc:2768
Stack trace:
#0 /etc/inc/util.inc(2768): sprintf()
#1 /etc/inc/util.inc(5058): localize_text()
#2 /etc/inc/util.inc(5277): cisco_extract_index()
#3 /etc/inc/openvpn.attributes.php(30): parse_cisco_acl()
#4 /etc/inc/openvpn.auth-user.php(121): include_once('/etc/inc/openvp...')
#5 {main}
  thrown in /etc/inc/util.inc on line 2768
[30-May-2026 11:06:18 US/Eastern] PHP Fatal error:  Uncaught ArgumentCountError: 3 arguments are required, 2 given in /etc/inc/util.inc:2768
Stack trace:
#0 /etc/inc/util.inc(2768): sprintf()
#1 /etc/inc/util.inc(5058): localize_text()
#2 /etc/inc/util.inc(5277): cisco_extract_index()
#3 /etc/inc/openvpn.attributes.php(30): parse_cisco_acl()
#4 /etc/inc/openvpn.auth-user.php(121): include_once('/etc/inc/openvp...')
#5 {main}
  thrown in /etc/inc/util.inc on line 2768
[30-May-2026 11:13:15 US/Eastern] PHP Fatal error:  Uncaught ArgumentCountError: 3 arguments are required, 2 given in /etc/inc/util.inc:2768
Stack trace:
#0 /etc/inc/util.inc(2768): sprintf()
#1 /etc/inc/util.inc(5058): localize_text()
#2 /etc/inc/util.inc(5277): cisco_extract_index()
#3 /etc/inc/openvpn.attributes.php(30): parse_cisco_acl()
#4 /etc/inc/openvpn.auth-user.php(121): include_once('/etc/inc/openvp...')
#5 {main}
  thrown in /etc/inc/util.inc on line 2768

No FreeBSD crash data found.

Actions

Copy link

Updated by Marcos M 3 days ago

Status changed from New to Feedback
Assignee set to Marcos M
Target version set to 26.07
Affected Plus Version changed from 26.03.1 to 26.03
Affected Architecture All added
Affected Architecture deleted (~~SG-3100~~)

The following patch fixes the PHP errors, though they aren't the root of the issue. An ACL rule from the RADIUS attribute is not formatted correctly which leads to the problematic code path when the rule error is logged. Show Hide

diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
index 7e9e8988fc..a182f1585e 100644
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -5055,7 +5055,7 @@ function cisco_extract_index($prule) {
     if (is_numeric($index[1])) {
         return intval($index[1]);
     } else {
-        logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Could not extract index", $prule));
+        logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Could not extract index", $prule));
     }
     return -1;;
 }
@@ -5088,7 +5088,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
             $tmprule .= "proto {$rule[$index]} ";
             break;
         default:
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid protocol", $rule_orig));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid protocol", $rule_orig));
             return;
     }
     $index++;
@@ -5105,7 +5105,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
             }
             $index++;
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid source host '%s'", $rule_orig, $rule[$index]));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid source host '%s'", $rule_orig, $rule[$index]));
             return;
         }
     } elseif (is_subnetv6(trim($rule[$index])) && ($proto == "inet6")) {
@@ -5122,12 +5122,12 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
             try {
                 $netmask = cisco_to_cidr($netmask);
             } catch(Exception $e) {
-                logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid source netmask '%s' (%s)", $rule_orig, $netmask, $e->getMessage()));
+                logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid source netmask '%s' (%s)", $rule_orig, $netmask, $e->getMessage()));
                 return;
             }
             $tmprule .= "from {$network}/{$netmask} ";
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid source network '%s'", $rule_orig, $network));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid source network '%s'", $rule_orig, $network));
             return;
         }

@@ -5155,7 +5155,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
         if (is_port($port)) {
             $tmprule .= "port {$operator} {$port} ";
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid source port: '%s' not a numeric value between 0 and 65535.", $rule_orig, $port));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid source port: '%s' not a numeric value between 0 and 65535.", $rule_orig, $port));
             return;
         }
         $index++;
@@ -5164,7 +5164,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
         if (is_port($port[0]) && is_port($port[1])) {
             $tmprule .= "port {$port[0]}:{$port[1]} ";
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid source ports: '%s' & '%s' one or both are not a numeric value between 0 and 65535.", $rule_orig, $port[0], $port[1]));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid source ports: '%s' & '%s' one or both are not a numeric value between 0 and 65535.", $rule_orig, $port[0], $port[1]));
             return;
         }
         $index++;
@@ -5178,7 +5178,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
             $tmprule .= "to {$rule[$index]} ";
             $index++;
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid destination host '%s'.", $rule_orig, $rule[$index]));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid destination host '%s'.", $rule_orig, $rule[$index]));
             return;
         }
     } elseif (is_subnetv6(trim($rule[$index])) && ($proto == "inet6")) {
@@ -5195,12 +5195,12 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
             try {
                 $netmask = cisco_to_cidr($netmask);
             } catch(Exception $e) {
-                logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid destination netmask '%s' (%s).", $rule_orig, $netmask, $e->getMessage()));
+                logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid destination netmask '%s' (%s).", $rule_orig, $netmask, $e->getMessage()));
                 return;
             }
             $tmprule .= "to {$network}/{$netmask} ";
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid destination network '%s'.", $rule_orig, $network));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid destination network '%s'.", $rule_orig, $network));
             return;
         }

@@ -5228,7 +5228,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
         if (is_port($port)) {
             $tmprule .= "port {$operator} {$port} ";
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid destination port: '%s' not a numeric value between 0 and 65535.", $rule_orig, $port));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid destination port: '%s' not a numeric value between 0 and 65535.", $rule_orig, $port));
             return;
         }
         $index++;
@@ -5237,7 +5237,7 @@ function parse_cisco_acl_rule($rule, $devname, $dir, $proto) {
         if (is_port($port[0]) && is_port($port[1])) {
             $tmprule .= "port {$port[0]}:{$port[1]} ";
         } else {
-            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s %s: Invalid destination ports: '%s' '%s' one or both are not a numeric value between 0 and 65535.", $rule_orig, $port[0], $port[1]));
+            logger(LOG_WARNING, localize_text("Error parsing RADIUS attribute - rule %s: Invalid destination ports: '%s' '%s' one or both are not a numeric value between 0 and 65535.", $rule_orig, $port[0], $port[1]));
             return;
         }
         $index++;

Actions

Copy link

Updated by Marcos M 3 days ago

Tracker changed from Bug to Regression
Subject changed from util.inc: Uncaught ArgumentCountError in parse_cisco_acl during OpenVPN RADIUS authentication to RADIUS authentication fails when attribute contains an invalid ACL

Applied with a75a241b8ce816347a5ce4e3d10de6d70579a3f2.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense » pfSense Plus

Custom queries