freeradius3-default: radiusd does not start

[odi79]

Maintainer: none?
Environment: tested with openwrt-23.05.2-x86-64-generic (and also with ath79-generic-glinet_gl-ar750)

Description:
radiusd fails to start after installing the basic freeradius3 packages using "opkg install freeradius3-default".
Back in October 2023 (at times of openwrt-23.05.0-rc4), everything was working.

Currently the following steps/workarounds are needed to get started:

1)

opkg install libopenssl-legacy

to avoid

# radiusd -X
[...]
(TLS) Failed loading legacy provider

This is issue #21428.

2)
Comment out some lines in /etc/freeradius3/sites-available/default (e.g. by using sed -i '/^\tif (EAP-Key-Name/,+4 s/^/#/' /etc/freeradius3/sites-available/default)

1054,1058c1054,1058
<       if (EAP-Key-Name && &reply:EAP-Session-Id) {
<               update reply {
<                       &EAP-Key-Name := &reply:EAP-Session-Id
<               }
<       }
---
> #     if (EAP-Key-Name && &reply:EAP-Session-Id) {
> #             update reply {
> #                     &EAP-Key-Name := &reply:EAP-Session-Id
> #             }
> #     }

to avoid

# radiusd -X
[...]
/etc/freeradius3/sites-enabled/default[1054]: Parse error in condition
/etc/freeradius3/sites-enabled/default[1054]: (EAP-Key-Name && &reply:EAP-Session-Id) {
/etc/freeradius3/sites-enabled/default[1054]:  ^ Expected a module return code
Errors reading or parsing /etc/freeradius3/radiusd.conf

Note that this is just a quick workaround to get rid of the message and not a solution. What is the root cause of this error?

3)
Add missing file /etc/freeradius3/mods-config/attr_filter/coa to avoid

# radiusd -X
[...]
reading pairlist file /etc/freeradius3/mods-config/attr_filter/coa
Couldn't open /etc/freeradius3/mods-config/attr_filter/coa for reading: No such file or directory
Errors reading /etc/freeradius3/mods-config/attr_filter/coa
/etc/freeradius3/mods-enabled/attr_filter[58]: Instantiation failed for module "attr_filter.coa"

This was already fixed by @predators46 in repository (master branch) with 104098c but is not yet available in the downloadable package.

With 1) to 3), radiusd -X starts again.

I don't know whether it is related, but freeradius3 issues started for me with https://forum.openwrt.org/t/freeradius3-packages-missing/176271/2 caused by #22006 and further tracked in #22532. However, #22670/ #22666 made the package compile/build again.
Currently issue #22576 is still open. It might improve something...?

In my opinion, "freeradius3" is a pretty basic package and should work properly out-of-the-box in the currently released OpenWrt version. It is unfortunate that it does not work for weeks now. Happy for everybody who can help fix it!

[brada4]

PCRE issues are not related, now it is built against libc RE support.

[odi79]

Note that the file /etc/freeradius3/sites-available/default is the same on Alpine Linux and does not yield any errors there. Thus the root cause of 2) is somewhere else.

[morales-alex]

Thanks, @odi79, for your helpful post: I can't reach to fix the third issue. Do I need to download the version which has that commit version you said?

[odi79]

Glad that I'm not the only one attempting to get freeradius working under OpenWrt, @morales-alex .

The missing file /etc/freeradius3/mods-config/attr_filter/coa is taken from upstream https://github.com/FreeRADIUS/freeradius-server/releases/ by the OpenWrt Makefile (net/freeradius3/Makefile). For convenience, here is the content:

#
#	Configuration file for the rlm_attr_filter module.
#	Please see rlm_attr_filter(5) manpage for more information.
#
#	$Id: 89cea2ea97dea10b82a8146cfeeeb1d7dd33b2f8 $
#
#	This configuration file is used to remove attributes From an
#	CoA-Request or Disconnect-Request message.  We have specified
#	a sample list here.  This will have to be modified to add
#	attributes needed by your local configuration.
#
DEFAULT
	User-Name =* ANY,
	NAS-IP-Address =* ANY,
	NAS-IPv6-Address =* ANY,
	NAS-Port =* ANY,
	NAS-Identifier =* ANY,
	NAS-Port-Type =* ANY,
	Calling-Station-Id =* ANY,
	State =* ANY,
	Message-Authenticator =* ANY,
	Proxy-State =* ANY

Does anybody know the root cause of the second issue and can fix it? The content of /etc/freeradius3/sites-available/default is working on Alpine Linux but yields the mentioned parse error on OpenWrt...

[odi79]

Situation unchanged with OpenWrt 23.05.3 :-(

[trippleflux]

Found out most probably second issue solution :

--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -705,7 +705,7 @@
 			#  deleted by the server when the command
 			#  returns.
 			#
-		#	client = "/path/to/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
+		#	client = "/usr/bin/openssl verify -CApath ${..ca_path} %{TLS-Client-Cert-Filename}"
 		}
 
 		#  OCSP Configuration

or edit /etc/freeradius3/mods-available/eap on running OpenWrt , this is found after digging through the alpinelinux's freeradius package , not really sure on why commenting in "client" variable is still being evaluated by freeradius. On short test, no more error with second issue.

[EDIT]
Not sure if my posted one is the right fix, as it seems freeradius is caching default config elsewhere, on additional test editing "client" to non existing openssl binary path is also still able to run "radiusd -X".

[odi79]

Thanks for looking into it @trippleflux and posting your findings!
Can anybody confirm that the posted config change works to get rid of the second issue? Unfortunately, it does not work for me.

[trippleflux]

@odi79
Forgot to mention that I am also using this version bump PR. Also I don't know to test freeradius3 functionalities wise, my test was only running radiusd binary until it reach "Ready to process requests" .

[sqrammi]

Found out why the first parsing error occurs. The rfc4072 is incorrectly not included in the release.

@@ -536,6 +537,7 @@ PKG_DICTIONARIES:= \
        compat \
        freeradius freeradius.internal \
        rfc2865 rfc2866 rfc2867 rfc2868 rfc2869 rfc3162 rfc3576 rfc3580 \
+       rfc4072 \
        rfc4372 rfc4675 rfc4679 rfc5580\
        microsoft \
        wispr \

[Neustradamus]

Have you progressed on this ticket?

[odi79]

Have you progressed on this ticket?

When downloading a current OpenWRT 23.05.5 and installing freeradius3-default on it, one still faces the same issues as at the beginning of this year. However, I hope that we now collected all needed steps/resolutions in this ticket to allow one of the maintainers/developers to fix the issues.

Does anybody know who this ticket should be assigned to?

[qzhwang]

Same issue. Can we bump this up? Been a while.

[qzhwang]

@sqrammi Can we have an updated version that includes that RFC? Or is there a way to build it by ourselves, with complete details on how to build one? Thanks!

[sqrammi]

@qzhwang Here is a better-formatted patch. You patch the freeradius Makefile, like this:

--- a/net/freeradius3/Makefile
+++ b/net/freeradius3/Makefile
@@ -131,6 +131,7 @@ define Package/freeradius3-mod-attr-filter/conffiles
 /etc/freeradius3/mods-config/attr_filter/access_challenge
 /etc/freeradius3/mods-config/attr_filter/access_reject
 /etc/freeradius3/mods-config/attr_filter/accounting_response
+/etc/freeradius3/mods-config/attr_filter/coa
 /etc/freeradius3/mods-config/attr_filter/post-proxy
 /etc/freeradius3/mods-config/attr_filter/pre-proxy
 endef
@@ -536,6 +537,7 @@ PKG_DICTIONARIES:= \
        compat \
        freeradius freeradius.internal \
        rfc2865 rfc2866 rfc2867 rfc2868 rfc2869 rfc3162 rfc3576 rfc3580 \
+       rfc4072 \
        rfc4372 rfc4675 rfc4679 rfc5580\
        microsoft \
        wispr \

[qzhwang]

Thanks @sqrammi for the diff! But I've been kinda trying not to build it myself. I mean if the build is broken 'coz of this, can we patch the Makefile and create a new package that can be installed by opkg?

[sqrammi]

@qzhwang I'm not involved with the openwrt build boxes. You would need to provide this as a patch and PR for the openwrt team to accept into their mainline code, and then eventually the default packages from openwrt would work, once they build packages based on the changes.

[qzhwang]

@sqrammi ohh, I see. Thought you were a maintainer. Never mind. Thanks for the help anyways!

[Neustradamus]

Dear @LucileQ, @dangowrt, @tohojo, @champtar, @hauke, @cotequeiroz, @Robby-, @yangfl, @audricschiltknecht, @ja-pa, @jefferyto, @uedvt359, @hnyman, @ematsu, @odmdas, @neheb, @zhaojh329, @crza, @predators46, @esaaprillia,

You have contributed in the past about freeradius in OpenWrt, can you look this ticket?

Thanks in advance.

[uedvt359]

it's pretty rude to randomly tag people in unrelated tickets.

…

________________________________ Von: Neustradamus ***@***.***> Gesendet: Dienstag, 19. November 2024 07:45:30 An: openwrt/packages Cc: GIRSTMAIR Tobias; Mention Betreff: Re: [openwrt/packages] freeradius3-default: radiusd does not start (Issue #23188) Dear @LucileQ<https://github.com/LucileQ>, @dangowrt<https://github.com/dangowrt>, @tohojo<https://github.com/tohojo>, @champtar<https://github.com/champtar>, @hauke<https://github.com/hauke>, @cotequeiroz<https://github.com/cotequeiroz>, @Robby-<https://github.com/Robby->, @yangfl<https://github.com/yangfl>, @audricschiltknecht<https://github.com/audricschiltknecht>, @ja-pa<https://github.com/ja-pa>, @jefferyto<https://github.com/jefferyto>, @uedvt359<https://github.com/uedvt359>, @hnyman<https://github.com/hnyman>, @ematsu<https://github.com/ematsu>, @odmdas<https://github.com/odmdas>, @neheb<https://github.com/neheb>, @zhaojh329<https://github.com/zhaojh329>, @crza<https://github.com/crza>, @predators46<https://github.com/predators46>, @esaaprillia<https://github.com/esaaprillia>, You have contributed in the past about freeradius in OpenWrt, can you look this ticket? Thanks in advance. — Reply to this email directly, view it on GitHub<#23188 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ANAYNPKSL3UJDGRFQQIIEB32BLNAVAVCNFSM6AAAAABCPTL7W2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBUHAZDOMRSGY>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[predators46]

@Neustradamus

as explained above overcomes this problem. I have tried quickly radiusd -X everything works as desired. i have added perl module to freeradius

root@OpenWrt:/etc/freeradius3# radiusd -X
FreeRADIUS Version 3.2.6
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
including dictionary file /usr/share/freeradius3/dictionary
including dictionary file /etc/freeradius3/dictionary
including configuration file /etc/freeradius3/radiusd.conf
including configuration file /etc/freeradius3/proxy.conf
including configuration file /etc/freeradius3/clients.conf
including files in directory /etc/freeradius3/mods-enabled/
including configuration file /etc/freeradius3/mods-enabled/always
including configuration file /etc/freeradius3/mods-enabled/attr_filter
including configuration file /etc/freeradius3/mods-enabled/chap
including configuration file /etc/freeradius3/mods-enabled/detail
including configuration file /etc/freeradius3/mods-enabled/digest
including configuration file /etc/freeradius3/mods-enabled/eap
including configuration file /etc/freeradius3/mods-enabled/mschap
including configuration file /etc/freeradius3/mods-enabled/exec
including configuration file /etc/freeradius3/mods-enabled/expiration
including configuration file /etc/freeradius3/mods-enabled/expr
including configuration file /etc/freeradius3/mods-enabled/files
including configuration file /etc/freeradius3/mods-enabled/logintime
including configuration file /etc/freeradius3/mods-enabled/pap
including configuration file /etc/freeradius3/mods-enabled/preprocess
including configuration file /etc/freeradius3/mods-enabled/radutmp
including configuration file /etc/freeradius3/mods-enabled/sradutmp
including configuration file /etc/freeradius3/mods-enabled/realm
including configuration file /etc/freeradius3/mods-enabled/unix
including configuration file /etc/freeradius3/mods-enabled/passwd
including configuration file /etc/freeradius3/mods-enabled/perl
including files in directory /etc/freeradius3/policy.d/
including configuration file /etc/freeradius3/policy.d/accounting
including configuration file /etc/freeradius3/policy.d/filter
including configuration file /etc/freeradius3/policy.d/eap
including files in directory /etc/freeradius3/sites-enabled/
including configuration file /etc/freeradius3/sites-enabled/default
including configuration file /etc/freeradius3/sites-enabled/inner-tunnel
main {
 security {
        allow_core_dumps = no
 }
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log"
        run_dir = "/var/run/radiusd"
}
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib/freeradius3"
        radacctdir = "/var/db/radacct"
        hostname_lookups = no
        max_request_time = 30
        proxy_dedup_window = 1
        cleanup_delay = 5
        max_requests = 16384
        max_fds = 512
        postauth_client_lost = no
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
        colourise = yes
        msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
        max_attributes = 200
        reject_delay = 1.000000
        status_server = yes
        require_message_authenticator = "auto"
        limit_proxy_state = "auto"
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 home_server localhost {
        nonblock = no
        ipaddr = 127.0.0.1
        port = 1812
        type = "auth"
        secret = <<< secret >>>
        response_window = 20.000000
        response_timeouts = 1
        max_outstanding = 65536
        zombie_period = 40
        status_check = "status-server"
        ping_interval = 30
        check_interval = 30
        check_timeout = 4
        num_answers_to_alive = 3
        revive_interval = 120
  limit {
        max_connections = 16
        max_requests = 0
        lifetime = 0
        idle_timeout = 0
  }
  coa {
        irt = 2
        mrt = 16
        mrc = 5
        mrd = 30
  }
 }
 home_server_pool my_auth_failover {
        type = fail-over
        home_server = localhost
 }
 realm example.com {
        auth_pool = my_auth_failover
 }
 realm LOCAL {
 }
radiusd: #### Loading Clients ####
 client localhost {
        ipaddr = 127.0.0.1
        secret = <<< secret >>>
        nas_type = "other"
        proto = "*"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
Shared secret for client localhost is short, and likely can be broken by an attacker.
 client localhost_ipv6 {
        ipv6addr = ::1
        secret = <<< secret >>>
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
Shared secret for client localhost_ipv6 is short, and likely can be broken by an attacker.
Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = digest
 # Creating Auth-Type = eap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = CHAP
 # Creating Auth-Type = MS-CHAP
 # Creating Autz-Type = New-TLS-Connection
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/freeradius3/mods-enabled/always
  always reject {
        rcode = "reject"
        simulcount = 0
        mpp = no
  }
  # Loading module "fail" from file /etc/freeradius3/mods-enabled/always
  always fail {
        rcode = "fail"
        simulcount = 0
        mpp = no
  }
  # Loading module "ok" from file /etc/freeradius3/mods-enabled/always
  always ok {
        rcode = "ok"
        simulcount = 0
        mpp = no
  }
  # Loading module "handled" from file /etc/freeradius3/mods-enabled/always
  always handled {
        rcode = "handled"
        simulcount = 0
        mpp = no
  }
  # Loading module "invalid" from file /etc/freeradius3/mods-enabled/always
  always invalid {
        rcode = "invalid"
        simulcount = 0
        mpp = no
  }
  # Loading module "userlock" from file /etc/freeradius3/mods-enabled/always
  always userlock {
        rcode = "userlock"
        simulcount = 0
        mpp = no
  }
  # Loading module "notfound" from file /etc/freeradius3/mods-enabled/always
  always notfound {
        rcode = "notfound"
        simulcount = 0
        mpp = no
  }
  # Loading module "noop" from file /etc/freeradius3/mods-enabled/always
  always noop {
        rcode = "noop"
        simulcount = 0
        mpp = no
  }
  # Loading module "updated" from file /etc/freeradius3/mods-enabled/always
  always updated {
        rcode = "updated"
        simulcount = 0
        mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/freeradius3/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
        filename = "/etc/freeradius3/mods-config/attr_filter/post-proxy"
        key = "%{Realm}"
        relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius3/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
        filename = "/etc/freeradius3/mods-config/attr_filter/pre-proxy"
        key = "%{Realm}"
        relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/freeradius3/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
        filename = "/etc/freeradius3/mods-config/attr_filter/access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/freeradius3/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
        filename = "/etc/freeradius3/mods-config/attr_filter/access_challenge"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/freeradius3/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
        filename = "/etc/freeradius3/mods-config/attr_filter/accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.coa" from file /etc/freeradius3/mods-enabled/attr_filter
  attr_filter attr_filter.coa {
        filename = "/etc/freeradius3/mods-config/attr_filter/coa"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loaded module rlm_chap
  # Loading module "chap" from file /etc/freeradius3/mods-enabled/chap
  # Loaded module rlm_detail
  # Loading module "detail" from file /etc/freeradius3/mods-enabled/detail
  detail {
        filename = "/var/db/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
        header = "%t"
        permissions = 384
        locking = no
        dates_as_integer = no
        escape_filenames = no
        log_packet_header = no
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/freeradius3/mods-enabled/digest
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/freeradius3/mods-enabled/eap
  eap {
        default_eap_type = "md5"
        timer_expire = 60
        max_eap_type = 52
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 16384
        dedup_key = ""
  }
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/freeradius3/mods-enabled/mschap
  mschap {
        use_mppe = yes
        require_encryption = no
        require_strong = no
        with_ntdomain_hack = yes
   passchange {
   }
        allow_retry = yes
        winbind_retry_with_normalised_username = no
  }
  # Loaded module rlm_exec
  # Loading module "exec" from file /etc/freeradius3/mods-enabled/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/freeradius3/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/freeradius3/mods-enabled/expr
  expr {
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/freeradius3/mods-enabled/files
  files {
        filename = "/etc/freeradius3/mods-config/files/authorize"
        acctusersfile = "/etc/freeradius3/mods-config/files/accounting"
        preproxy_usersfile = "/etc/freeradius3/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/freeradius3/mods-enabled/logintime
  logintime {
        minimum_timeout = 60
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/freeradius3/mods-enabled/pap
  pap {
        normalise = yes
  }
  # Loaded module rlm_preprocess
  # Loading module "preprocess" from file /etc/freeradius3/mods-enabled/preprocess
  preprocess {
        huntgroups = "/etc/freeradius3/mods-config/preprocess/huntgroups"
        hints = "/etc/freeradius3/mods-config/preprocess/hints"
        with_ascend_hack = no
        ascend_channels_per_line = 23
        with_ntdomain_hack = no
        with_specialix_jetstream_hack = no
        with_cisco_vsa_hack = no
        with_alvarion_vsa_hack = no
  }
  # Loaded module rlm_radutmp
  # Loading module "radutmp" from file /etc/freeradius3/mods-enabled/radutmp
  radutmp {
        filename = "/var/log/radutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        permissions = 384
        caller_id = yes
  }
  # Loading module "sradutmp" from file /etc/freeradius3/mods-enabled/sradutmp
  radutmp sradutmp {
        filename = "/var/log/sradutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        permissions = 420
        caller_id = no
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/freeradius3/mods-enabled/realm
  realm IPASS {
        format = "prefix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "suffix" from file /etc/freeradius3/mods-enabled/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "bangpath" from file /etc/freeradius3/mods-enabled/realm
  realm bangpath {
        format = "prefix"
        delimiter = "!"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "realmpercent" from file /etc/freeradius3/mods-enabled/realm
  realm realmpercent {
        format = "suffix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
  }
  # Loading module "ntdomain" from file /etc/freeradius3/mods-enabled/realm
  realm ntdomain {
        format = "prefix"
        delimiter = "\"
        ignore_default = no
        ignore_null = no
  }
  # Loaded module rlm_unix
  # Loading module "unix" from file /etc/freeradius3/mods-enabled/unix
  unix {
        radwtmp = "/var/log/radwtmp"
  }
Creating attribute Unix-Group
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/freeradius3/mods-enabled/passwd
  passwd etc_passwd {
        filename = "/etc/passwd"
        format = "*User-Name:Crypt-Password:"
        delimiter = ":"
        ignore_nislike = no
        ignore_empty = yes
        allow_multiple_keys = no
        hash_size = 100
  }
  # Loaded module rlm_perl
  # Loading module "perl" from file /etc/freeradius3/mods-enabled/perl
  perl {
        filename = "/etc/freeradius3/mods-config/perl/example.pl"
        func_authorize = "authorize"
        func_authenticate = "authenticate"
        func_post_auth = "post_auth"
        func_accounting = "accounting"
        func_preacct = "preacct"
        func_checksimul = "checksimul"
        func_detach = "detach"
        func_xlat = "xlat"
        func_pre_proxy = "pre_proxy"
        func_post_proxy = "post_proxy"
        func_recv_coa = "recv_coa"
        func_send_coa = "send_coa"
        perl_flags = "-T"
  }
Perl version: 5.40.0
  instantiate {
  }
  # Instantiating module "reject" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "fail" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "ok" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "handled" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "invalid" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "userlock" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "notfound" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "noop" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "updated" from file /etc/freeradius3/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/access_reject
  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/accounting_response
  # Instantiating module "attr_filter.coa" from file /etc/freeradius3/mods-enabled/attr_filter
reading pairlist file /etc/freeradius3/mods-config/attr_filter/coa
  # Instantiating module "detail" from file /etc/freeradius3/mods-enabled/detail
  # Instantiating module "eap" from file /etc/freeradius3/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_tls
   tls {
        tls = "tls-common"
   }
   tls-config tls-common {
        verify_depth = 0
        ca_path = "/etc/freeradius3/certs"
        pem_file_type = yes
        private_key_file = "/etc/freeradius3/certs/server.pem"
        certificate_file = "/etc/freeradius3/certs/server.pem"
        ca_file = "/etc/freeradius3/certs/ca.pem"
        private_key_password = <<< secret >>>
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = no
        check_all_crl = no
        ca_path_reload_interval = 0
        cipher_list = "DEFAULT"
        cipher_server_preference = no
        reject_unknown_intermediate_ca = no
        ecdh_curve = ""
        tls_max_version = "1.2"
        tls_min_version = "1.2"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }
    verify {
        skip_if_ocsp_ok = no
    }
    ocsp {
        enable = no
        override_cert_url = yes
        url = "http://127.0.0.1/ocsp/"
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
        tls = "tls-common"
        default_eap_type = "md5"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
        require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = no
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = no
   }
  # Instantiating module "mschap" from file /etc/freeradius3/mods-enabled/mschap
rlm_mschap (mschap): using internal authentication
  # Instantiating module "expiration" from file /etc/freeradius3/mods-enabled/expiration
  # Instantiating module "files" from file /etc/freeradius3/mods-enabled/files
reading pairlist file /etc/freeradius3/mods-config/files/authorize
reading pairlist file /etc/freeradius3/mods-config/files/accounting
reading pairlist file /etc/freeradius3/mods-config/files/pre-proxy
  # Instantiating module "logintime" from file /etc/freeradius3/mods-enabled/logintime
  # Instantiating module "pap" from file /etc/freeradius3/mods-enabled/pap
  # Instantiating module "preprocess" from file /etc/freeradius3/mods-enabled/preprocess
reading pairlist file /etc/freeradius3/mods-config/preprocess/huntgroups
reading pairlist file /etc/freeradius3/mods-config/preprocess/hints
  # Instantiating module "IPASS" from file /etc/freeradius3/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/freeradius3/mods-enabled/realm
  # Instantiating module "bangpath" from file /etc/freeradius3/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/freeradius3/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/freeradius3/mods-enabled/realm
  # Instantiating module "etc_passwd" from file /etc/freeradius3/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "perl" from file /etc/freeradius3/mods-enabled/perl
 } # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius3/radiusd.conf
} # server
server default { # from file /etc/freeradius3/sites-enabled/default
 # Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
 # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
Compiling Autz-Type New-TLS-Connection for attr Autz-Type
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
Compiling Post-Auth-Type Challenge for attr Post-Auth-Type
Compiling Post-Auth-Type Client-Lost for attr Post-Auth-Type
} # server default
server inner-tunnel { # from file /etc/freeradius3/sites-enabled/inner-tunnel
 # Loading authenticate {...}
Compiling Auth-Type PAP for attr Auth-Type
Compiling Auth-Type CHAP for attr Auth-Type
Compiling Auth-Type MS-CHAP for attr Auth-Type
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
 # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius3/sites-enabled/inner-tunnel:366
Compiling Post-Auth-Type REJECT for attr Post-Auth-Type
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
   limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
   }
}
listen {
        type = "acct"
        ipaddr = *
        port = 0
   limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
   }
}
listen {
        type = "auth"
        ipv6addr = ::
        port = 0
   limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
   }
}
listen {
        type = "acct"
        ipv6addr = ::
        port = 0
   limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
   }
}
listen {
        type = "auth"
        ipaddr = 127.0.0.1
        port = 18120
}
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on proxy address * port 56717
Listening on proxy address :: port 52916
Ready to process requests

[qzhwang]

@predators46 Could you help post some details on how you get 3.2.6 working on OpenWrt? I'm only getting 3.0.26 from openwrt-23.05.5. Also tried to compile it from the source but could even get the build tools to work properly on openwrt. Some more details would be much appreciated! Thanks!

PS, not sure how this is related to Perl...

[predators46]

@qzhwang

If you use OpenWRT version 21 you don't need libopenssl-legacy.

but if you use openwrt version 23 you need libopenssl-legacy.

but if you want to use pcre in freeradius you can build it in openwrt version 21 and don't need libopenssl-legacy.

If you want to use pcre2 in freeradius you need to wait for freeradius4 to be released in the stable branch

how to test freeradius3 is running as desired you need to install freeradius3-default and use the radiusd -X command in terminal/putty

notes :

perl has nothing to do with this problem

[qzhwang]

Thanks @predators46 . I just installed libopenssl-legacy and libpcre, since I'm on openwrt 23. radiusd -X still generates the same error as the original poster had. (I removed and re-installed freeradius3-default.) :-/

[qzhwang]

Again, I'm getting FreeRADIUS Version 3.0.26. How did you get 3.2.6? Did you compile it from source? If so, could yo share some details on how to do that? I can't even get the build tools to work on OpenWRT...

[dannutu]

I'm only getting 3.0.26 from openwrt-23.05.5.
same here as of 28 Dec