pfSense Support Subscription

Author Topic: NEW Package: freeRADIUS 2.x  (Read 172138 times)

0 Members and 1 Guest are viewing this topic.

Offline sisko212

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
  • https://archive.org/details/GaryKild
    • View Profile
    • A tribute to a real genius
Re: NEW Package: freeRADIUS 2.x
« Reply #600 on: October 27, 2015, 02:47:20 am »
Good day to everybody,
As you maybe know, latest package Freeradius2 1.6.15 that contains a Freeradius 2.2.6 daemon, has a trouble on EAP-TLS authentication.
Above all with latest Android 6.0 Marshmallow.
Some tech details are available here:
https://code.google.com/p/android/issues/detail?id=188867#c29
Someone known if it exists a workaround, perhaps editing some configuration files on freeradius, or also on Android with some apps, in order to avoid this issue ?
Thanks a lot in advance for your time and for any suggestion.

Offline David_W

  • Sr. Member
  • ****
  • Posts: 363
  • Karma: +66/-0
    • Twitter
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #601 on: October 28, 2015, 10:33:07 pm »
The issues you mention should be fixed in FreeRADIUS 2.2.9, which is now in FreeBSD ports.

FreeRADIUS 2.x is now end of life. Hopefully someone will come forward to develop a FreeRADIUS 3.x package, though I would suggest any development efforts target the forthcoming pfSense 2.3.

Offline thetrevster

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Traffic Counter Not Working 2.2.4
« Reply #602 on: October 30, 2015, 10:47:52 am »
I'm on the latest version of pfSense (2.2.4 - 64 bit) with Captive Portal and the FreeRADIUS 2.x package setup for traffic capping. Everything is working properly to re-authenticate users every minute and I'm using the MAC address as the username. I'm currently capping users at 6000MB (total upload and download) per day. I added a test machine in and noticed that the traffic counter isn't working correctly. I was aware of this issue on older version of pfSense, but it seems that I am having a similar issue in the latest build. Any thoughts? See below an output from the system logs.

Oct 30 15:37:56 root: FreeRADIUS: Used amount of daily traffic by 247703xxxxxx is 35 MB of 6000 MB! The user was accepted!!!
Oct 30 15:38:58   root: FreeRADIUS: Used amount of daily traffic by 247703xxxxxx is 70 MB of 6000 MB! The user was accepted!!!

I have a local counter on the test machine, counting all traffic in/out of the wireless NIC. Within that time period, it shows I've only transferred 800KB, but the logs are showing 30+ MB. Thanks in advance for any input.
« Last Edit: October 30, 2015, 10:50:54 am by thetrevster »

Offline tamersherif

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: Traffic Counter Not Working 2.2.4
« Reply #603 on: November 01, 2015, 01:21:29 pm »
I'm on the latest version of pfSense (2.2.4 - 64 bit) with Captive Portal and the FreeRADIUS 2.x package setup for traffic capping. Everything is working properly to re-authenticate users every minute and I'm using the MAC address as the username. I'm currently capping users at 6000MB (total upload and download) per day. I added a test machine in and noticed that the traffic counter isn't working correctly. I was aware of this issue on older version of pfSense, but it seems that I am having a similar issue in the latest build. Any thoughts? See below an output from the system logs.

Oct 30 15:37:56 root: FreeRADIUS: Used amount of daily traffic by 247703xxxxxx is 35 MB of 6000 MB! The user was accepted!!!
Oct 30 15:38:58   root: FreeRADIUS: Used amount of daily traffic by 247703xxxxxx is 70 MB of 6000 MB! The user was accepted!!!

I have a local counter on the test machine, counting all traffic in/out of the wireless NIC. Within that time period, it shows I've only transferred 800KB, but the logs are showing 30+ MB. Thanks in advance for any input.

Yes the the problem still exists int 2.2.4 i tried every thing and every tutorial on the internet but it's confirmed that this is a bug.

Offline thetrevster

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #604 on: November 02, 2015, 03:18:51 pm »
That is unfortunate, I could really use this feature. Is the bug actively being worked on / any idea on when it will be fixed? Thanks.

Offline TechyTech

  • Newbie
  • *
  • Posts: 8
  • Karma: +3/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #605 on: November 06, 2015, 12:48:04 am »
Good day to everybody,
As you maybe know, latest package Freeradius2 1.6.15 that contains a Freeradius 2.2.6 daemon, has a trouble on EAP-TLS authentication.
Above all with latest Android 6.0 Marshmallow.
Some tech details are available here:
https://code.google.com/p/android/issues/detail?id=188867#c29
Someone known if it exists a workaround, perhaps editing some configuration files on freeradius, or also on Android with some apps, in order to avoid this issue ?
Thanks a lot in advance for your time and for any suggestion.

Just got Marshmallow OTA update myself and smacked into this same problem.  EAP-TLS configuration that has been working fine for quite a while, now no longer works on upgraded Nexus 7.

Symptoms are that the device appears to negotiate authentication, FreeRADIUS logs indicate the device was authenticated, but the device never finishes joining the network, and just keeps repeating.

From the Google thread, the issue is tied to the use of TLSv1.2 and downgrading to TLSv1.1 or 1.0, the final keying is correct.  But downgrading to broken encryption standards is not what I'd consider a workaround. 

From other forum reading, it sounds like this is going to be a quickly growing problem as Marshmallow is currently being rolled out OTA to all Nexus devices and expected to hit OEM devices soon.

So really the only question then is how soon an updated release that contains a fix for this issue can be made available.

Offline David_W

  • Sr. Member
  • ****
  • Posts: 363
  • Karma: +66/-0
    • Twitter
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #606 on: November 07, 2015, 09:07:27 am »
Just got Marshmallow OTA update myself and smacked into this same problem.  EAP-TLS configuration that has been working fine for quite a while, now no longer works on upgraded Nexus 7.

As I said earlier in the thread, the package needs to be respun with FreeRADIUS 2.2.9 to solve this problem. If the package has a maintainer, hopefully he/she can deal with this, otherwise it would be helpful if someone built and tested an upgraded package, then submitted a pull request.

The longer term issue is that FreeRADIUS 2.x is now End of Life. A new package is needed, based on FreeRADIUS 3.x, though, depending on the timeline for pfSense 2.3, there may well be little point building a FreeRADIUS 3.x package for pfSense 2.2. It might be best to build a FreeRADIUS 3.x package for pfSense 2.3 rather than upgrading the FreeRADIUS 2.x package for the Bootstrap based pfSense 2.3 GUI.

Offline sisko212

  • Jr. Member
  • **
  • Posts: 46
  • Karma: +1/-0
  • https://archive.org/details/GaryKild
    • View Profile
    • A tribute to a real genius
Re: NEW Package: freeRADIUS 2.x
« Reply #607 on: November 11, 2015, 07:53:29 am »
...package needs to be respun with FreeRADIUS 2.2.9 to solve this problem....The longer term issue is that FreeRADIUS 2.x is now End of Life. A new package is needed, based on FreeRADIUS 3.x...

I Agree with you, but for users like me, developing a new pfsense package with latest freeradius 3 version, requires a skill and time (to read pfsense package build documentation) that not everybody has ...
At moment, only as temporary workaround, I installed a Zeroshel distribution, only for wifi authentication, because it has a newer freeradius (maybe 2.2.12 or .19) than pfsense, and it is able to work with latest Android and iOS releases.

Offline David_W

  • Sr. Member
  • ****
  • Posts: 363
  • Karma: +66/-0
    • Twitter
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #608 on: November 12, 2015, 07:30:28 am »
At moment, only as temporary workaround, I installed a Zeroshel distribution, only for wifi authentication, because it has a newer freeradius (maybe 2.2.12 or .19) than pfsense, and it is able to work with latest Android and iOS releases.

FreeRADIUS 2.2.9 is the latest - and quite possibly the last - release in the 2.2.x series. If you see version numbers higher than that, they're not using the version numbering from the FreeRADIUS developers.


Your work-round is probably the best for now. I don't have the time to do any work on fixing the package and I'm not sure anyone is maintaining it. The chances are that all that is needed is to upgrade the FreeRADIUS code to 2.2.9, though there might be other changes necessary for the package to work correction with 2.2.9.

A FreeRADIUS 3.x package is a much larger undertaking. Arguably the correct approach - as I have advocated elsewhere - is to produce a FreeRADIUS 3.x package for pfSense 2.3 rather than upgrading the current 2.x package for Bootstrap. Considering the limited life remaining of pfSense 2.2.x, it's hard to justify the effort involved in developing a FreeRADIUS 3.x package for non Bootstrap versions of pfSense.

Offline sloper

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #609 on: January 20, 2016, 03:05:31 pm »
The chances are that all that is needed is to upgrade the FreeRADIUS code to 2.2.9, though there might be other changes necessary for the package to work correction with 2.2.9.

I am 100% willing to do this and test it. I'm having trouble finding (in the package's source) where it finds the actual Freeradius software. If anyone can point me in the right direction, I'll definitely update the package.

See the other topic specifically about the TLS issue which I've outlined what I'm looking for a bit more: https://forum.pfsense.org/index.php?topic=104343.msg588608#msg588608
« Last Edit: January 20, 2016, 03:38:54 pm by sloper »

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 17487
  • Karma: +593/-5
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #610 on: January 26, 2016, 03:17:32 pm »
It's not something that can be fixed in the package code in our repositories. The PBI needs to be rebuilt, but due to other changes in the ports tree after the last version was made, rebuilding it is non-trivial. There is an open ticket for it here: https://redmine.pfsense.org/issues/5318

In the meantime, FreeRADIUS on pfSense 2.3 is using FreeRADIUS 2.2.9 and is in a good/usable state. If someone absolutely requires it, upgrading to pfSense 2.3 beta (or at least having a VM with it running for FreeRADIUS!) is not a bad suggestion at this point in time.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline nxsfan

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: NEW Package: freeRADIUS 2.x
« Reply #611 on: January 31, 2016, 05:48:32 pm »
Just installed freeRADIUS on a relatively fresh (2.2.6) PFSense install. After minimal configuration clients were served with an expired (1/28/16) "Example Server Certificate". Is this intentional? I originally assumed that bootstrap was called after installing and starting freeRADIUS 2 the first time, but this isn't the case? After deleting the certificate and running bootstrap a new (temporally valid) certificate was generated. Perhaps this is expected? Thanks.