Log:
2021-06-16T14:31:55 Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"
2021-06-16T14:31:55 Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"
Tried deleting and reinstalling the plugin to no avail.
Cisco LEAP was removed in version 3.0.22
QuoteRemove native support for Cisco LEAP. It is insecure, and should not be used. Proxying LEAP is still supported.
Open the configuration /usr/local/etc/raddb/mods-available/eap and remove the section about
leap and restart freeradius.
EDIT:
Even better, please open the file /usr/local/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap and remove the leap section (lines 102 to 115).
Might be worth notifying the plugin maintainer.
For a quick fix:
# opnsense-revert -r 21.1.6 freeradius3
Cheers,
Franco
PS: ok, we have a ticket now https://github.com/opnsense/plugins/issues/2432
Wow, thank you very much mrpink, mimugmail and franco. Already fixed I see, great work! :)
Team effort. Sometimes it's hard to protect against non-core changes in the ecosystem.
It will likely be hotfixed tomorrow for good measure.
Cheers,
Franco
Btw same (similar?) thing happens with PAP:
2021-06-17T16:58:51 radiusd[48579] /usr/local/etc/raddb/mods-enabled/pap[13]: Failed to link to module 'rlm_pap': Cannot open "/usr/local/lib/freeradius-3*/rlm_pap.so"
Michael will take a look, although from the release notes nothing changed for PAP.
About LEAP it's a bit funny now that FreeRADIUS released 3.0.23[1] and it says...
> Silently ignore LEAP configuration instead of erroring out.
¯\_(ツ)_/¯
Cheers,
Franco
[1] https://freeradius.org/release_notes/?br=3.0.x&re=3.0.23
Quote from: szty0pa on June 17, 2021, 05:08:17 PM
Btw same (similar?) thing happens with PAP:
2021-06-17T16:58:51 radiusd[48579] /usr/local/etc/raddb/mods-enabled/pap[13]: Failed to link to module 'rlm_pap': Cannot open "/usr/local/lib/freeradius-3*/rlm_pap.so"
Does this happen during startup?
Same here also get the pap[13] error, happens on start or restart of the Service the workaraound is working for now.
Thanks
Which workaround?
Quote from: franco on June 16, 2021, 03:00:47 PM
Might be worth notifying the plugin maintainer.
For a quick fix:
# opnsense-revert -r 21.1.6 freeradius3
Cheers,
Franco
Quote from: mimugmail on June 18, 2021, 12:41:32 PM
Quote from: szty0pa on June 17, 2021, 05:08:17 PM
Btw same (similar?) thing happens with PAP:
2021-06-17T16:58:51 radiusd[48579] /usr/local/etc/raddb/mods-enabled/pap[13]: Failed to link to module 'rlm_pap': Cannot open "/usr/local/lib/freeradius-3*/rlm_pap.so"
Does this happen during startup?
Yes this happens at startup and if/when i try to start radiusd manually. (Same thing happens with the freeradius plugin 1.9.13 as well.)
Doesnt happen on my side .. Screenshots please
Running a health audit would be beneficial to rule out local issues.
Cheers,
Franco
Quote from: mimugmail on June 21, 2021, 10:05:31 PM
Doesnt happen on my side .. Screenshots please
Strange thing is that the modules are there:
$ls /usr/local/lib/freeradius-3*/rlm_pap*
/usr/local/lib/freeradius-3.0.22/rlm_pap.a /usr/local/lib/freeradius-3.0.22/rlm_pap.so
/usr/local/lib/freeradius-3.0.22/rlm_pap.laAnd it was working great up to v21.1.6 this way.
Can you disable LDAP in General or do you really use it?
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.7_1 (amd64/LibreSSL) at Tue Jun 22 15:44:59 CEST 2021
>>> Check installed kernel version
Version 21.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done
***DONE***
Output of Health Audit... Seams to be ok
I have not enabled LDAP in my freeradius configuration but i see the same issue if i upgrade freeradius again...
(//)
Quote from: mimugmail on June 22, 2021, 12:57:14 PM
Can you disable LDAP in General or do you really use it?
On this instance i am really using LDAP but on an other one i don't and the result is the same (as @zeitlins also mentioned).
Health audit seems okay for me as well (sorry, i forgot to run it before):
***GOT REQUEST TO AUDIT HEALTH***
Currently running OPNsense 21.1.7_1 (amd64/LibreSSL) at Tue Jun 22 20:53:07 CEST 2021
>>> Check installed kernel version
Version 21.1.7 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.7 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages:
acme.sh-2.9.0: missing file /var/db/acme/.acme.sh/account.conf.sample
acme.sh-2.9.0: missing file /var/db/acme/.acme.sh/deploy
acme.sh-2.9.0: missing file /var/db/acme/.acme.sh/dnsapi
acme.sh-2.9.0: missing file /var/db/acme/.acme.sh/notify
Checking all packages............. done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done
***DONE***I tried other auth modules, and the really strange thing is that radiusd always errors out loading rlm_pap even if i switch to mschapv2 or tls!
Is it maybe LibreSSL related? I just noticed @zeitlins also uses that flavour.
Quote from: szty0pa on June 22, 2021, 09:07:27 PM
Is it maybe LibreSSL related? I just noticed @zeitlins also uses that flavour.
I have the same issue and I'm also using LibreSSL
Anyone able to switch to OpenSSL for testing?
Quote from: mimugmail on June 23, 2021, 08:07:58 PM
Anyone able to switch to OpenSSL for testing?
I have switched to OpenSSL and after the reboot everything (as far as I have checked) was working ok.
Regarding the pap issue, this is definitely gone and FreeRadius is able to start. So this really seems to be related to LibreSSL. Good catch.
Second big problem after OpenVPN :(
also switched to openssl - and the Updated Version Works...
I´ll stick with openssl for now... i´m happy to test on the next update to switch ssl versions again ;-)
I have NOT switched to openssl. The bug is still not closed. :'(
When will it be fixed? After upgrading to 21.7 I can't revert back to 21.1.6 any more.
( `opnsense-revert -r 21.1.6 freeradius3` )
Is there another quickfix besides switching to openssl??
Thanks.
There is none, its a problem of freeradius itself
Quote from: kollaesch on September 04, 2021, 05:35:46 PMI have NOT switched to openssl. The bug is still not closed. :'(
When will it be fixed?
Maybe never if users keep shouting in the wrong direction. It's a freeradius issue and some vendors are actively not supporting LibreSSL.
Cheers,
Franco
is this still an issue? I cant seem to be able to run freeradius on my OPNsense 21.7.5-amd64 install
No, yours is related to Jinja update introduced with 21.7.4
Quote from: mimugmail on November 15, 2021, 08:24:32 PM
No, yours is related to Jinja update introduced with 21.7.4
any fix for my issue?
Can you open an issue in GitHub please?
Just go to Services : Freeradius : EAP and hit Apply, will be fixed in next version too