Text only | Text with Images

OPNsense Forum

Archive => 21.7 Legacy Series => Topic started by: MartB on July 29, 2021, 11:53:44 PM

Title: FreeRadius: Client secret regression
Post by: MartB on July 29, 2021, 11:53:44 PM
Hey there,

after switching to 21.7 my freeradius stopped working with the following message:

Error: /usr/local/etc/raddb/clients.conf[2]: secret must be at least 1 character long

This was caused by missing quotes around the secret and possibly due to my secret starting with #@.

We need to add the quotation signs around the secrets when writing the config to prevent this.
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 07:04:26 AM
Does it start without #@ in the secret?
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 07:06:53 AM
Only change in this release was that clients need to use IP/networks instead of hostname
Title: Re: FreeRadius: Client secret regression
Post by: MartB on July 30, 2021, 12:07:59 PM
Quote from: mimugmail on July 30, 2021, 07:04:26 AM
Does it start without #@ in the secret?

Yes it does, adding it back is making it fail again.
Might be some dependency or os package change?
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 12:54:51 PM
What was the last known working version?
Title: Re: FreeRadius: Client secret regression
Post by: MartB on July 30, 2021, 01:20:52 PM
RC2 must have worked, i should have noticed otherwise.
I can help find the exact cause for this in 6 hours if needed.
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 02:07:10 PM
Freeradius was updated from 3.0.22 to 3.0.23 and plugin from 1.9.14 to 1.9.15.

First testen:

opnsense-revert -r 21.7.r1 freeradius3

If you still have the error:

opnsense-revert -r 21.7.r1 os-freeradius
Title: Re: FreeRadius: Client secret regression
Post by: franco on July 30, 2021, 02:13:34 PM
If Jinja2 templates are involved this might be a side effect of Python 3.8 upgrade?


Cheers,
Franco
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 03:00:36 PM
Templating is correct, but Freeradius seems to interpret is as a commect (leading hash) since 3.0.23
Title: Re: FreeRadius: Client secret regression
Post by: franco on July 30, 2021, 03:09:58 PM
err ok  ;D
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 03:11:59 PM
I'm unsure if FR intepretes " " as part of the string or not, maybe someone can verify it.
Title: Re: FreeRadius: Client secret regression
Post by: MartB on July 30, 2021, 06:23:59 PM
It does not thats what i did to fix it. Thanks for your research, just putting the quotes around would be enough to fix it.

Edit:
The 3.0.22 revert also works
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on July 30, 2021, 07:48:20 PM
Quote from: MartB on July 30, 2021, 06:23:59 PM
It does not thats what i did to fix it. Thanks for your research, just putting the quotes around would be enough to fix it

Would? Or did you test it?
Title: Re: FreeRadius: Client secret regression
Post by: MartB on July 30, 2021, 08:34:28 PM
As i said in my first post, yes it does fix it.
Title: Re: FreeRadius: Client secret regression
Post by: soernt.poppe on October 30, 2021, 04:56:16 PM
Hi there,

I had this issue and updated the secrets to be inclosed in "".

I just update to version 21.7.4 and get once again the message
Error: /usr/local/etc/raddb/clients.conf[2]: secret must be at least 1 character long

The secrets are still in inclosed with "". I remove the "" and still get the same error.

What do I need to do here?
Title: Re: FreeRadius: Client secret regression
Post by: mimugmail on October 31, 2021, 07:00:46 AM
Shouldnt this already been fixed?
Text only | Text with Images