search

opnsense / plugins

OPNsense plugin collection
https://opnsense.org/
BSD 2-Clause "Simplified" License
832 stars 619 forks source link

freeradius 1.9.16 - freeradius service on secondary gateway does not reload after HA sync #2654

Closed iperry-indigex closed 2 years ago

iperry-indigex commented 2 years ago

During a maintenance period today, we failed over to our secondary gateway to make some changes to the primary gateway. We began having users failing to authenticate against radius, which had now failed over to secondary. This was fixed by restarting the freeradius server on the secondary gateway. It appears that whenever a high availability sync is performed, freeradius is not included in the list of services that get restarted. The written configuration for the two gateways match, but the running configuration does not appear to be consistent.

To Reproduce A) Adding User

  1. Add a user to the primary gateway under Services > FreeRADIUS > Users
  2. Select "Apply"
  3. Attempt to authenticate against RADIUS server as new user, succeeds.
  4. Sync config to secondary gateway
  5. Fail over via Interfaces > Virtual IPs > Status > Enter Persistent CARP Maintenance Mode
  6. Attempt to authenticate against RADIUS server as new user (which does appear in the GUI), fails.

B) Changing Password

  1. Change a user password on the primary gateway under Services > FreeRADIUS > Users
  2. Perform steps 2-6 from section A.
  3. Authenticating with old password succeeds.

Environment OPNsense 21.7.3_1-amd64 FreeBSD 12.1-RELEASE-p20-HBSD OpenSSL 1.1.1l 24 Aug 2021 Motherboard SuperMicro SCLX11IF CPU Intel(R) Core(TM) i9-9900KF CPU @ 3.60GHz (16 cores) Network Intel® X710DA2

OPNsense-bot commented 2 years ago

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

mimugmail commented 2 years ago

Screenshot of the button you click in step 4 please

iperry-indigex commented 2 years ago

Screenshot of the button you click in step 4 please Sync

mimugmail commented 2 years ago

Err .. this is only to sync, you need to push the button at the bottom to also restart.

iperry-indigex commented 2 years ago

Err .. this is only to sync, you need to push the button at the bottom to also restart.

I just want to clarify: Are you saying that the synchronization process does not restart any services by design? Or does it restart some services, but not others?

mimugmail commented 2 years ago

I believe its only for templates, config, filter and aliases, but since I always use the bottom button I never compared it

OPNsense-bot commented 2 years ago

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.