freeradius does not start with DHCP enabled.

[tomcatxx]

Hi to everybody,

im quite new to OPNsense and just got my setup of OPNsense 20.7-amd64 combined with a SG350X-24P working as Layer 3 Switch and some VLAN's running.
The Routing between the VLAN's is all done by the switch. Networklayout see attachment.

Now I want to get the DHCP functionality running.
The goal is to setup opnsense als DHCP for all VLAN's. Well after reading alot I just ended up that its not easy possible :(.
Than I found this https://github.com/opnsense/plugins/issues/1105
I want the use freeradis to secure my IP-Camera VLAN so running DHCP over it too would be great.
If I understand it right this should be possible.
So I configured my switch for DHCP Relay as discribed here: https://www.cisco.com/c/en/us/support/docs/smb/switches/cisco-small-business-300-series-managed-switches/smb1070-dhcp-relay-configuration-on-300-series-managed-switch.html and set up freeradius (look attachement). 192.168.10.2 is the ip of my LAN interface connected to the switch with an Layer 3 port. The problem is now that freeradius does not start as soon as I activate DHCP. I dont understany why. The DHCPv4 Server from OPNsense is disabled btw.
Hope anyone can give me a hind what I'm doing wrong. The Log File of freeradius is completly empty...

[mimugmail]

Via CLI:

radiusd -X

and post the error

[tomcatxx]

Code Select Expand

root@OPNsense:~ # radiusd -X
FreeRADIUS Version 3.0.21
Copyright (C) 1999-2019 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/local/share/freeradius/dictionary
including dictionary file /usr/local/share/freeradius/dictionary.dhcp
including dictionary file /usr/local/share/freeradius/dictionary.vqp
including dictionary file /usr/local/etc/raddb/dictionary
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/mods-enabled/
including configuration file /usr/local/etc/raddb/mods-enabled/attr_filter
including configuration file /usr/local/etc/raddb/mods-enabled/cache_eap
including configuration file /usr/local/etc/raddb/mods-enabled/chap
including configuration file /usr/local/etc/raddb/mods-enabled/date
including configuration file /usr/local/etc/raddb/mods-enabled/detail
including configuration file /usr/local/etc/raddb/mods-enabled/detail.log
including configuration file /usr/local/etc/raddb/mods-enabled/digest
including configuration file /usr/local/etc/raddb/mods-enabled/dynamic_clients
including configuration file /usr/local/etc/raddb/mods-enabled/eap
including configuration file /usr/local/etc/raddb/mods-enabled/echo
including configuration file /usr/local/etc/raddb/mods-enabled/exec
including configuration file /usr/local/etc/raddb/mods-enabled/expiration
including configuration file /usr/local/etc/raddb/mods-enabled/expr
including configuration file /usr/local/etc/raddb/mods-enabled/files
including configuration file /usr/local/etc/raddb/mods-enabled/linelog
including configuration file /usr/local/etc/raddb/mods-enabled/logintime
including configuration file /usr/local/etc/raddb/mods-enabled/mschap
including configuration file /usr/local/etc/raddb/mods-enabled/ntlm_auth
including configuration file /usr/local/etc/raddb/mods-enabled/pap
including configuration file /usr/local/etc/raddb/mods-enabled/passwd
including configuration file /usr/local/etc/raddb/mods-enabled/preprocess
including configuration file /usr/local/etc/raddb/mods-enabled/radutmp
including configuration file /usr/local/etc/raddb/mods-enabled/realm
including configuration file /usr/local/etc/raddb/mods-enabled/replicate
including configuration file /usr/local/etc/raddb/mods-enabled/soh
including configuration file /usr/local/etc/raddb/mods-enabled/sradutmp
including configuration file /usr/local/etc/raddb/mods-enabled/unix
including configuration file /usr/local/etc/raddb/mods-enabled/always
including configuration file /usr/local/etc/raddb/mods-enabled/unpack
including configuration file /usr/local/etc/raddb/mods-enabled/utf8
including configuration file /usr/local/etc/raddb/mods-enabled/counter
including configuration file /usr/local/etc/raddb/mods-enabled/dhcp_sqlippool
including configuration file /usr/local/etc/raddb/mods-config/sql/ippool-dhcp/mysql/queries.conf
/usr/local/etc/raddb/mods-enabled/dhcp_sqlippool[26]: Reference "${..pool_name}" not found
/usr/local/etc/raddb/mods-enabled/dhcp_sqlippool[30]: Reference "${..pool_name}" not found
/usr/local/etc/raddb/mods-enabled/dhcp_sqlippool[32]: Reference "${..pool_name}" not found
including configuration file /usr/local/etc/raddb/mods-enabled/ldap
including configuration file /usr/local/etc/raddb/mods-enabled/sql
including configuration file /usr/local/etc/raddb/mods-enabled/sqlippool
including files in directory /usr/local/etc/raddb/policy.d/
including configuration file /usr/local/etc/raddb/policy.d/accounting
including configuration file /usr/local/etc/raddb/policy.d/canonicalization
including configuration file /usr/local/etc/raddb/policy.d/control
including configuration file /usr/local/etc/raddb/policy.d/cui
including configuration file /usr/local/etc/raddb/policy.d/debug
including configuration file /usr/local/etc/raddb/policy.d/dhcp
including configuration file /usr/local/etc/raddb/policy.d/eap
including configuration file /usr/local/etc/raddb/policy.d/filter
including configuration file /usr/local/etc/raddb/policy.d/moonshot-targeted-ids
including configuration file /usr/local/etc/raddb/policy.d/operator-name
including configuration file /usr/local/etc/raddb/policy.d/rfc7542
including configuration file /usr/local/etc/raddb/policy.d/abfab-tr
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/default
including configuration file /usr/local/etc/raddb/sites-enabled/dhcp
/usr/local/etc/raddb/mods-enabled/dhcp_sqlippool[26]: Reference "${..pool_name}" not found
Errors reading or parsing /usr/local/etc/raddb/radiusd.conf


Code Select Expand

root@OPNsense:~ # cat /usr/local/etc/raddb/radiusd.conf

prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
name = radiusd
confdir = ${raddbdir}
modconfdir = ${confdir}/mods-config
certdir = ${confdir}/certs
cadir   = ${confdir}/certs
run_dir = ${localstatedir}/run/${name}
db_dir = ${raddbdir}
# libdir ends with an asterisk since package maintainer always appends the current version number to the directory name.
libdir = /usr/local/lib/freeradius-3*
pidfile = ${run_dir}/${name}.pid
correct_escapes = true
max_request_time = 30
cleanup_delay = 5
max_requests = 16384
hostname_lookups = no

log {
        destination = files
        colourise = yes
        file = ${logdir}/radius.log
        syslog_facility = daemon
        stripped_names = no
        auth = yes
        auth_badpass = yes
        auth_goodpass = no
        msg_denied = "You are already logged in - access denied"
}

checkrad = ${sbindir}/checkrad

security {
        allow_core_dumps = no
        max_attributes = 200
        reject_delay = 1
        status_server = yes


}

proxy_requests  = yes
$INCLUDE proxy.conf
$INCLUDE clients.conf

thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
        auto_limit_acct = no
}

modules {
        $INCLUDE mods-enabled/
}

instantiate {
}

policy {
        $INCLUDE policy.d/
}

$INCLUDE sites-enabled/



[mimugmail]

Can you open a bug report in GitHub? I need to check this

[tomcatxx]

done  ;D https://github.com/opnsense/plugins/issues/1985

[mimugmail]

In one week I have a look

[tomcatxx]

ty.
Btw one question I know its offtopic but maybe you know and can answer.
Will it work to use radius dhcp together with openvpn to connect my phones to my network from remote?

[mimugmail]

No, I dont think so. You can use CSC for specifying  IPs to clients

[tomcatxx]

ok should fit my need too :)

[tomcatxx]

In one week I have a look

Any progress so far? ;D

[Xelas]

Seems to crash at startup while looking for pool name. freeradius can work as a DHCP relay, or you need to set up config files for it to work and you need to set it up with a SQL DB. The pool name it is looking for is the config for the DHCP pool.
I notice you have SQLite unchecked in your config?
See:
https://networkradius.com/doc/3.0.10/raddb/mods-available/sqlippool.html

[mimugmail]

No, there is an error in templating, seems freeradius changed it's syntax. Need more time ..

[tomcatxx]

alright. take your time :)

[democles]

Hi, any update on this issue ?  Due to the new private address feature in IOS14, I'd like to attribute an IP based on login (RADIUS DHCP). This will allow me to keep some fw-rules based on specific ips ( eg block the internet access for my kids during certain periods during the day). With the new feature this becomes a nightmare as the MAC's change every 24 Hr ...
Any update much appreciated !!