Then I checked that it is set up by getcap /usr/sbin/freeradius and it was /usr/sbin/freeradius = cap_net_admin+ei
That should work.
But there is still Failed adding ARP entry: Failed to add entry in ARP cache: Operation not permitted (1)
Hi I ran into this issue and did some investigation. What I found was that if you set the permissions as follows: setcap cap_net_admin,cap_net_bind_service=eip /usr/local/sbin/radiusd This works as long as you do not launch FreeRADIUS as root. So for example I have a normal user called "radius" specified in radiusd.conf: security { user = radius group = radius ... } This does not work: root@computer# radiusd -X This works: radius@computer$ radiusd -X So what seems to be happening is that although we assign the capabilities to the radiusd executable, if we launch as a different user to what is in radiusd.conf then those capabilities are lost when FreeRADIUS switches user. I also tried adding "ambient" capabilities as follows: capsh --caps="cap_setpcap,cap_setuid,cap_setgid,cap_net_admin,cap_net_bind_service+eip" --keep=1 --user=radius --addamb=cap_net_admin,cap_net_bind_service -- -c "/usr/local/sbin/radiusd -X" This also works fine. -- Benjamin Thompson