hi, This issue I was able to solve by changing the permissions of the /etc/freeradius folder. chmod o-w /etc/freeradius -R Now, another question that I am beating my head on is why it doesn't complete the authentication transaction. (0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (0) User-Name = "2160239" (0) NAS-IP-Address = 172.19.1.94 (0) NAS-Identifier = "8a455872bf9f" (0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test" 172.22.0.1 - gateway by docker subnet 172.22.0.2 - IP of freeradius container The first line of the log has a "from 172.22.0.1". Is this IP correct or should it be the IP of the access point? ------------------------------- *full log of transaction* ------------------------------- (0) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (0) User-Name = "2160239" (0) NAS-IP-Address = 172.19.1.94 (0) NAS-Identifier = "8a455872bf9f" (0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "9A-06-38-29-C2-EB" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "79792BDF06BDA9C1" (0) Acct-Multi-Session-Id = "ACA3D5010901AE15" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0278000c0132313630323339 (0) Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) eap: Peer sent EAP Response (code 2) ID 120 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 121 length 6 (0) eap: EAP session adding &reply:State = 0xfc4aea9afc33f386 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786 length 64 (0) EAP-Message = 0x017900061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xfc4aea9afc33f3861568ee456a7f044b (0) Finished request Waking up in 4.9 seconds. (0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122 Waking up in 7.0 seconds. (0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122 Waking up in 11.0 seconds. (0) Cleaning up request packet ID 122 with timestamp +72 due to cleanup_delay was reached Ready to process requests (1) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (1) User-Name = "2160239" (1) NAS-IP-Address = 172.19.1.94 (1) NAS-Identifier = "8a455872bf9f" (1) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "9A-06-38-29-C2-EB" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "79792BDF06BDA9C1" (1) Acct-Multi-Session-Id = "ACA3D5010901AE15" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x0278000c0132313630323339 (1) Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) eap: Peer sent EAP Response (code 2) ID 120 length 12 (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Peer sent packet with method EAP Identity (1) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) Initiating new session (1) eap: Sending EAP Request (code 1) ID 121 length 6 (1) eap: EAP session adding &reply:State = 0x1681adb716f8b460 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786 length 64 (1) EAP-Message = 0x017900061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x1681adb716f8b4601111af262dd5049b (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 122 with timestamp +93 due to cleanup_delay was reached Ready to process requests On Mon, May 23, 2022 at 9:42 AM Elias Pereira <empbilly@gmail.com> wrote:
Hi,
I have set up an infrastructure with a freeradius container in docker, but the error below occurs whenever the container goes up.
Configuration file /etc/freeradius/radiusd.conf is globally writable. Refusing to start due to insecure configuration.
I have locally a folder with files from a freeradius server that I use in a VM.
These files, via Dockerfile I copy to the container and then change the permission of the folder to:
chown -R freerad. /etc/freeradius
I'm not sure if the owner would be just freerad or it would have to be root:freerad, or if I have to change the permissions too.
Any ideas?
-- Elias Pereira
-- Elias Pereira