Author Topic: FreeRadius: Client secret regression (Read 4692 times)

MartB · « **on:** July 29, 2021, 11:53:44 pm »

Hey there,

after switching to 21.7 my freeradius stopped working with the following message:

Error: /usr/local/etc/raddb/clients.conf[2]: secret must be at least 1 character long

This was caused by missing quotes around the secret and possibly due to my secret starting with #@.

We need to add the quotation signs around the secrets when writing the config to prevent this.

mimugmail · « **Reply #1 on:** July 30, 2021, 07:04:26 am »

Does it start without #@ in the secret?

mimugmail · « **Reply #2 on:** July 30, 2021, 07:06:53 am »

Only change in this release was that clients need to use IP/networks instead of hostname

MartB · « **Reply #3 on:** July 30, 2021, 12:07:59 pm »

Quote from: mimugmail on July 30, 2021, 07:04:26 am

Does it start without #@ in the secret?

Yes it does, adding it back is making it fail again.
Might be some dependency or os package change?

mimugmail · « **Reply #4 on:** July 30, 2021, 12:54:51 pm »

What was the last known working version?

MartB · « **Reply #5 on:** July 30, 2021, 01:20:52 pm »

RC2 must have worked, i should have noticed otherwise.
I can help find the exact cause for this in 6 hours if needed.

mimugmail · « **Reply #6 on:** July 30, 2021, 02:07:10 pm »

Freeradius was updated from 3.0.22 to 3.0.23 and plugin from 1.9.14 to 1.9.15.

First testen:

opnsense-revert -r 21.7.r1 freeradius3

If you still have the error:

opnsense-revert -r 21.7.r1 os-freeradius

franco · « **Reply #7 on:** July 30, 2021, 02:13:34 pm »

If Jinja2 templates are involved this might be a side effect of Python 3.8 upgrade?

Cheers,
Franco

mimugmail · « **Reply #8 on:** July 30, 2021, 03:00:36 pm »

Templating is correct, but Freeradius seems to interpret is as a commect (leading hash) since 3.0.23

franco · « **Reply #9 on:** July 30, 2021, 03:09:58 pm »

err ok

mimugmail · « **Reply #10 on:** July 30, 2021, 03:11:59 pm »

I'm unsure if FR intepretes " " as part of the string or not, maybe someone can verify it.

MartB · « **Reply #11 on:** July 30, 2021, 06:23:59 pm »

It does not thats what i did to fix it. Thanks for your research, just putting the quotes around would be enough to fix it.

Edit:
The 3.0.22 revert also works

mimugmail · « **Reply #12 on:** July 30, 2021, 07:48:20 pm »

Quote from: MartB on July 30, 2021, 06:23:59 pm

It does not thats what i did to fix it. Thanks for your research, just putting the quotes around would be enough to fix it

Would? Or did you test it?

MartB · « **Reply #13 on:** July 30, 2021, 08:34:28 pm »

As i said in my first post, yes it does fix it.

soernt.poppe · « **Reply #14 on:** October 30, 2021, 04:56:16 pm »

Hi there,

I had this issue and updated the secrets to be inclosed in "".

I just update to version 21.7.4 and get once again the message
Error: /usr/local/etc/raddb/clients.conf[2]: secret must be at least 1 character long

The secrets are still in inclosed with "". I remove the "" and still get the same error.

What do I need to do here?

Author Topic: FreeRadius: Client secret regression (Read 4692 times)

MartB

FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

MartB

Re: FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

MartB

Re: FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

franco

Re: FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

franco

Re: FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

MartB

Re: FreeRadius: Client secret regression

mimugmail

Re: FreeRadius: Client secret regression

MartB

Re: FreeRadius: Client secret regression

soernt.poppe

Re: FreeRadius: Client secret regression