Forums

Faucon
Faucon
Offline
Resolved
-1 votes
Hi all. I have a fresh install of 7.1b3. i only did the update without adding any extra repository. Registration and app install was made through marketplace. I'm unable to start the Radius server. when i click Start, it just turn to stop again. I added a client via the webconfig, with ip address, nickname and password. Here is the output of /var/log/radius/radius.log:

Mon Sep 21 18:29:05 2015 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.195.198.3. Please fix your configuration
Mon Sep 21 18:29:05 2015 : Warning: Support for old-style clients will be removed in a future release
Mon Sep 21 18:29:05 2015 : Error: /etc/raddb/mods-config/files/authorize[1]: Could not open included file /etc/raddb/mods-config/files/clearos-users: No such file or directory
Mon Sep 21 18:29:05 2015 : Error: Failed reading /etc/raddb/mods-config/files/authorize
Mon Sep 21 18:29:05 2015 : Error: /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"

edit:
here is the /etc/raddb/clearos-client:

client 10.195.198.3 {
secret = ciscowificlient
shortname = Wifi
}

it seems that the webconfig entered the ip address instead of the name of the client, and ipaddr parameter is missing within the quote.




who can help ? thanks !
Monday, September 21 2015, 10:31 PM
Share this post:
Responses (16)
  • Accepted Answer

    Thursday, September 24 2015, 02:35 PM - #Permalink
    Resolved
    2 votes
    Faucon wrote:

    Hi all. I have a fresh install of 7.1b3. i only did the update without adding any extra repository. Registration and app install was made through marketplace. I'm unable to start the Radius server. when i click Start, it just turn to stop again. I added a client via the webconfig, with ip address, nickname and password. Here is the output of /var/log/radius/radius.log:

    Mon Sep 21 18:29:05 2015 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.195.198.3. Please fix your configuration
    Mon Sep 21 18:29:05 2015 : Warning: Support for old-style clients will be removed in a future release
    Mon Sep 21 18:29:05 2015 : Error: /etc/raddb/mods-config/files/authorize[1]: Could not open included file /etc/raddb/mods-config/files/clearos-users: No such file or directory
    Mon Sep 21 18:29:05 2015 : Error: Failed reading /etc/raddb/mods-config/files/authorize
    Mon Sep 21 18:29:05 2015 : Error: /etc/raddb/mods-enabled/files[9]: Instantiation failed for module "files"


    That looks like a bug. On it.
    Like
    2
    The reply is currently minimized Show
  • Accepted Answer

    Faucon
    Faucon
    Offline
    Friday, September 25 2015, 04:22 AM - #Permalink
    Resolved
    0 votes
    Thanks Peter! I will wait for an answer.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 25 2015, 06:06 AM - #Permalink
    Resolved
    0 votes
    Here are some specifics:

    moved /etc/raddb/clearos-users to /etc/raddb/mods-config/files/

    Next, I had to comment out 'unix' from /root/support/raddb/raddb/sites-enabled/default
    About Line 297

    [root@server sites-enabled]# diff default /root/support/raddb/raddb/sites-enabled/default
    297c297
    < # unix
    ---
    > unix


    Lastly, the symbolic link is missing for 'ldap'
    cd /etc/raddb/mods-enabled/
    ln -s ../mods-available/ldap ldap

    From here you will get errors concerning LDAP. LDAP is likely required and will need to have separate settings for OpenLDAP or Samba4

    Here is a howto for Samba 4. Will look into other methods for accessing the directory to see if we can just hit the local authentication. For EAP, you have to encrypt the inner tunnel so it can get complex.

    https://wiki.samba.org/index.php/VPN_Single_SignOn_with_Samba_AD#Install_.26_Configure_a_Radius_Server
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 25 2015, 06:14 AM - #Permalink
    Resolved
    0 votes
    btw, to troubleshoot radius, make sure the service is stopped:

    service radius stop

    Then run the service interactively

    radiusd -X
    The reply is currently minimized Show
  • Accepted Answer

    Faucon
    Faucon
    Offline
    Friday, September 25 2015, 12:19 PM - #Permalink
    Resolved
    0 votes
    Thanks Dave! I will give a try tonight
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 25 2015, 02:30 PM - #Permalink
    Resolved
    0 votes
    There's an update in the clearos-updates-testing repository. You can re-install the RADIUS app with:


    yum remove freeradius
    yum --enablerepo=clearos-updates-testing install app-radius


    It fixes all the things Dave mentioned and also merges a more recent set of configuration files. There might be a few other items to review, but the RADIUS app should be better now. It still hasn't passed the WorksForMe step in the ClearOS 7 release workflow.

    From here you will get errors concerning LDAP. LDAP is likely required and will need to have separate settings for OpenLDAP or Samba4


    I just added a tracker item for this: https://tracker.clearos.com/view.php?id=5442
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 15 2015, 05:33 PM - #Permalink
    Resolved
    0 votes
    Hi,

    I am having the same issue as the one quoted.
    What's the status on this?

    Thanks
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 20 2015, 05:10 PM - #Permalink
    Resolved
    0 votes
    Ok, i feel like an idiot for not sorting thread by date...
    Anyhow, I have updated from updates-testing repo, but this is still not working for me.
    It seams that server is running now, but there is a problem with communication to ldap.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 26 2015, 08:11 PM - #Permalink
    Resolved
    0 votes
    Let me see if I can get a status update from our RADIUS guru. Keep in mind, RADIUS is mostly driven by the ClearBOX hardware wireless requirement, and that has not yet been completed. Regardless, if RADIUS isn't working in ClearOS 7, then we should remove it from view in Marketplace until it's done.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 27 2015, 09:22 PM - #Permalink
    Resolved
    0 votes
    Maybe it should be removed.
    This updated app from testing repo is running server now, but users are unable to authenticate.
    Though, when ClearOS is restarted, radius server is not starting sometimes.
    Generally, I would mark this one as unstable.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 29 2015, 02:36 PM - #Permalink
    Resolved
    0 votes
    The app has been removed from Marketplace until the RADIUS guru has the time to do a full audit.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, November 12 2015, 02:17 PM - #Permalink
    Resolved
    0 votes
    I tried posting this as a topic but the forums are.. weird.

    Anyway i solved this wit a new config file. The configuration auto-generated is for freeradius2 not for 3 which is in clearOS 7

    So after installing with
    yum install app-radius


    Configure the clients in the web interface and then edit the ldap file in /etc/raddb/mods-available

    This is a template of my config
    ldap {
    server = "localhost"
    port = 389
    identity = "cn=manager,ou=Internal,dc=DOMAIN,dc=NAME"
    password = yourpassword
    basedn = "dc=DOMAIN,dc=NAME"
    user {
    base_dn = "ou=Users,ou=Accounts,dc=DOMAIN,dc=NAME"
    filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    }
    update {
    control:Password-With-Header += 'clearSHAPassword'
    control:NT-Password := 'clearMicrosoftNTPassword'
    }
    group {
    base_dn = "ou=Groups,ou=Accounts,dc=DOMAIN,dc=NAME"
    filter = '(objectClass=posixGroup)'
    membership_attribute = 'memberOf'
    }
    options {
    chase_referrals = yes
    rebind = yes
    use_referral_credentials = no
    res_timeout = 10
    srv_timelimit = 3
    idle = 60
    probes = 3
    interval = 3
    ldap_debug = 0x0028
    }
    tls {
    }
    pool {
    start = ${thread[pool].start_servers}
    min = ${thread[pool].min_spare_servers}
    max = ${thread[pool].max_servers}
    spare = ${thread[pool].max_spare_servers}
    uses = 0
    retry_delay = 30
    lifetime = 0
    idle_timeout = 60
    connect_timeout = 3.0
    }
    }


    Hopefully this helps someone.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, April 20 2016, 07:38 PM - #Permalink
    Resolved
    0 votes
    Thanks Ales and others. Sorry for the delays on RADIUS. It should be back in the marketplace as soon as we can get some testing on the packages in updates-testing that should be populating with new RADIUS code in the next several days.

    Specifically, we wanted to make sure that the inner tunnel would support EAP so that we could authentication devices like Wireless Access Points which rely on that inner-tunnel. The bug has been updated and we will be rolling new packages on that code soon.

    If you want a preview or to validate my code, please see: https://tracker.clearos.com/view.php?id=6101
    The reply is currently minimized Show
  • Accepted Answer

    Faucon
    Faucon
    Offline
    Wednesday, April 20 2016, 11:57 PM - #Permalink
    Resolved
    0 votes
    Thanks for the update. I was waiting for the fix before trying to install my cisco ap.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 22 2016, 04:30 PM - #Permalink
    Resolved
    0 votes
    For those wanting to try out the package in testing and can provide me with feedback, please test the package by running:

    yum --enablerepo=clearos-updates-testing upgrade app-radius

    You should be getting version 2.2.0-2.v7

    Let me know so we can generally release this and then put it back in the marketplace.
    The reply is currently minimized Show
  • Accepted Answer

    Faucon
    Faucon
    Offline
    Tuesday, May 03 2016, 02:41 AM - #Permalink
    Resolved
    0 votes
    Dave Loper wrote:

    For those wanting to try out the package in testing and can provide me with feedback, please test the package by running:

    yum --enablerepo=clearos-updates-testing upgrade app-radius

    You should be getting version 2.2.0-2.v7

    Let me know so we can generally release this and then put it back in the marketplace.


    it's still not starting. i uninstalled the old version, then, from the marketplace, it installed 2.2.0-2 without having to specify repository.

    then i added a client, and can't start it .

    here is the /var/log/message:

    May 2 22:28:03 pingouin webconfig: Redirecting to /bin/systemctl start radiusd.service
    May 2 22:28:03 pingouin systemd: Starting FreeRADIUS high performance RADIUS server....
    May 2 22:28:03 pingouin systemd: radiusd.service: control process exited, code=exited status=1
    May 2 22:28:03 pingouin systemd: Failed to start FreeRADIUS high performance RADIUS server..
    May 2 22:28:03 pingouin systemd: Unit radiusd.service entered failed state.
    May 2 22:28:03 pingouin systemd: radiusd.service failed.
    May 2 22:28:03 pingouin webconfig: Job for radiusd.service failed because the control process exited with error code. See "systemctl status radiusd.service" and "journalctl -xe" for details.

    here is /var/log/radius/radius.log

    Mon May 2 22:32:29 2016 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.195.198.3. Please fix your configuration
    Mon May 2 22:32:29 2016 : Warning: Support for old-style clients will be removed in a future release
    Mon May 2 22:32:29 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
    Mon May 2 22:32:29 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
    Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
    Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
    Mon May 2 22:32:29 2016 : Info: Loaded virtual server <default>
    Mon May 2 22:32:29 2016 : Info: Loaded virtual server default
    Mon May 2 22:32:29 2016 : Info: Loaded virtual server clearos-inner-tunnel
    Mon May 2 22:32:29 2016 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
    Mon May 2 22:32:29 2016 : Info: Loaded virtual server inner-tunnel
    Mon May 2 22:32:29 2016 : Warning: No 'ipaddr' or 'ipv4addr' or 'ipv6addr' field found in client 10.195.198.3. Please fix your configuration
    Mon May 2 22:32:29 2016 : Warning: Support for old-style clients will be removed in a future release
    Mon May 2 22:32:29 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
    Mon May 2 22:32:29 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
    Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
    Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
    Mon May 2 22:32:29 2016 : Info: rlm_ldap (ldap): Opening additional connection (0)
    Mon May 2 22:32:29 2016 : Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
    Mon May 2 22:32:29 2016 : Error: rlm_ldap (ldap): Opening connection failed (0)
    Mon May 2 22:32:29 2016 : Error: /etc/raddb/mods-enabled/ldap[1]: Instantiation failed for module "ldap"


    in /etc/raddb/clearos-client, it seems that the web interface is entering the ip address in the name...

    client 10.195.198.3 {
    secret = wifi5630
    shortname = AP
    }

    even when i change the file to this:

    client AP {
    ipaddr = 10.195.198.3
    secret = wifi5630
    }

    i still got :


    Mon May 2 22:38:29 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
    Mon May 2 22:38:29 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
    Mon May 2 22:38:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
    Mon May 2 22:38:29 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
    Mon May 2 22:38:29 2016 : Info: Loaded virtual server <default>
    Mon May 2 22:38:29 2016 : Info: Loaded virtual server default
    Mon May 2 22:38:29 2016 : Info: Loaded virtual server clearos-inner-tunnel
    Mon May 2 22:38:29 2016 : Warning: Ignoring "sql" (see raddb/mods-available/README.rst)
    Mon May 2 22:38:29 2016 : Info: Loaded virtual server inner-tunnel
    Mon May 2 22:38:30 2016 : Warning: rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO returned: -1
    Mon May 2 22:38:30 2016 : Info: rlm_ldap: libldap vendor: OpenLDAP version: 20439
    Mon May 2 22:38:30 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for accounting, will return NOOP for calls from this section
    Mon May 2 22:38:30 2016 : Info: rlm_ldap (ldap): Couldn't find configuration for post-auth, will return NOOP for calls from this section
    Mon May 2 22:38:30 2016 : Info: rlm_ldap (ldap): Opening additional connection (0)
    Mon May 2 22:38:30 2016 : Error: rlm_ldap (ldap): Bind credentials incorrect: Invalid credentials
    Mon May 2 22:38:30 2016 : Error: rlm_ldap (ldap): Opening connection failed (0)
    Mon May 2 22:38:30 2016 : Error: /etc/raddb/mods-enabled/ldap[1]: Instantiation failed for module "ldap"


    thanks
    The reply is currently minimized Show
Your Reply