Configuration file /etc/freeradius/radiusd.conf is globally writable
Hi, I have set up an infrastructure with a freeradius container in docker, but the error below occurs whenever the container goes up. Configuration file /etc/freeradius/radiusd.conf is globally writable. Refusing to start due to insecure configuration. I have locally a folder with files from a freeradius server that I use in a VM. These files, via Dockerfile I copy to the container and then change the permission of the folder to: chown -R freerad. /etc/freeradius I'm not sure if the owner would be just freerad or it would have to be root:freerad, or if I have to change the permissions too. Any ideas? -- Elias Pereira
hi, This issue I was able to solve by changing the permissions of the /etc/freeradius folder. chmod o-w /etc/freeradius -R Now, another question that I am beating my head on is why it doesn't complete the authentication transaction. (0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (0) User-Name = "2160239" (0) NAS-IP-Address = 172.19.1.94 (0) NAS-Identifier = "8a455872bf9f" (0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test" 172.22.0.1 - gateway by docker subnet 172.22.0.2 - IP of freeradius container The first line of the log has a "from 172.22.0.1". Is this IP correct or should it be the IP of the access point? ------------------------------- *full log of transaction* ------------------------------- (0) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (0) User-Name = "2160239" (0) NAS-IP-Address = 172.19.1.94 (0) NAS-Identifier = "8a455872bf9f" (0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test" (0) NAS-Port-Type = Wireless-802.11 (0) Service-Type = Framed-User (0) Calling-Station-Id = "9A-06-38-29-C2-EB" (0) Connect-Info = "CONNECT 0Mbps 802.11b" (0) Acct-Session-Id = "79792BDF06BDA9C1" (0) Acct-Multi-Session-Id = "ACA3D5010901AE15" (0) WLAN-Pairwise-Cipher = 1027076 (0) WLAN-Group-Cipher = 1027076 (0) WLAN-AKM-Suite = 1027073 (0) Framed-MTU = 1400 (0) EAP-Message = 0x0278000c0132313630323339 (0) Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) eap: Peer sent EAP Response (code 2) ID 120 length 12 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: (TLS) Initiating new session (0) eap: Sending EAP Request (code 1) ID 121 length 6 (0) eap: EAP session adding &reply:State = 0xfc4aea9afc33f386 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786 length 64 (0) EAP-Message = 0x017900061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xfc4aea9afc33f3861568ee456a7f044b (0) Finished request Waking up in 4.9 seconds. (0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122 Waking up in 7.0 seconds. (0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122 Waking up in 11.0 seconds. (0) Cleaning up request packet ID 122 with timestamp +72 due to cleanup_delay was reached Ready to process requests (1) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (1) User-Name = "2160239" (1) NAS-IP-Address = 172.19.1.94 (1) NAS-Identifier = "8a455872bf9f" (1) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) Calling-Station-Id = "9A-06-38-29-C2-EB" (1) Connect-Info = "CONNECT 0Mbps 802.11b" (1) Acct-Session-Id = "79792BDF06BDA9C1" (1) Acct-Multi-Session-Id = "ACA3D5010901AE15" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x0278000c0132313630323339 (1) Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) eap: Peer sent EAP Response (code 2) ID 120 length 12 (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Peer sent packet with method EAP Identity (1) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) Initiating new session (1) eap: Sending EAP Request (code 1) ID 121 length 6 (1) eap: EAP session adding &reply:State = 0x1681adb716f8b460 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786 length 64 (1) EAP-Message = 0x017900061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x1681adb716f8b4601111af262dd5049b (1) Finished request Waking up in 4.9 seconds. (1) Cleaning up request packet ID 122 with timestamp +93 due to cleanup_delay was reached Ready to process requests On Mon, May 23, 2022 at 9:42 AM Elias Pereira <empbilly@gmail.com> wrote:
Hi,
I have set up an infrastructure with a freeradius container in docker, but the error below occurs whenever the container goes up.
Configuration file /etc/freeradius/radiusd.conf is globally writable. Refusing to start due to insecure configuration.
I have locally a folder with files from a freeradius server that I use in a VM.
These files, via Dockerfile I copy to the container and then change the permission of the folder to:
chown -R freerad. /etc/freeradius
I'm not sure if the owner would be just freerad or it would have to be root:freerad, or if I have to change the permissions too.
Any ideas?
-- Elias Pereira
-- Elias Pereira
On May 25, 2022, at 12:57 PM, Elias Pereira <empbilly@gmail.com> wrote:
This issue I was able to solve by changing the permissions of the /etc/freeradius folder.
chmod o-w /etc/freeradius -R
The default permissions are that only root can write to the configuration folder. So if that changed, it's because someone did it manually. For security reasons, the server won't start if the configuration files are globally writable.
Now, another question that I am beating my head on is why it doesn't complete the authentication transaction.
(0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (0) User-Name = "2160239" (0) NAS-IP-Address = 172.19.1.94 (0) NAS-Identifier = "8a455872bf9f" (0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
172.22.0.1 - gateway by docker subnet 172.22.0.2 - IP of freeradius container
The first line of the log has a "from 172.22.0.1". Is this IP correct or should it be the IP of the access point?
It's whatever your networking setup says it should be. Normally it's the IP of the access point. But if you have the docker setup to do NAT, then it will be a different IP.
... (1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786 length 64 (1) EAP-Message = 0x017900061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x1681adb716f8b4601111af262dd5049b (1) Finished request
Is the packet making it back to the NAS? If not, the docker rules are preventing that. Docker is nice, but in this case it's adding an extra layer of complexity which is making things more difficult. Fix networking on the docker system, and it will work. This isn't a FreeRADIUS issue. Alan DeKok.
hi Alan, Thanks for the help!! We have several vlans and one of them has subnet 172.19.0.0/24. The docker on our dockerhost was also with this subnet and for this reason the conflict occurred. I changed the default docker subnet and now PEAP authentication with freeradius is working fine. On Wed, May 25, 2022 at 4:36 PM Alan DeKok <aland@deployingradius.com> wrote:
On May 25, 2022, at 12:57 PM, Elias Pereira <empbilly@gmail.com> wrote:
This issue I was able to solve by changing the permissions of the /etc/freeradius folder.
chmod o-w /etc/freeradius -R
The default permissions are that only root can write to the configuration folder. So if that changed, it's because someone did it manually.
For security reasons, the server won't start if the configuration files are globally writable.
Now, another question that I am beating my head on is why it doesn't complete the authentication transaction.
(0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812 length 224 (0) User-Name = "2160239" (0) NAS-IP-Address = 172.19.1.94 (0) NAS-Identifier = "8a455872bf9f" (0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
172.22.0.1 - gateway by docker subnet 172.22.0.2 - IP of freeradius container
The first line of the log has a "from 172.22.0.1". Is this IP correct or should it be the IP of the access point?
It's whatever your networking setup says it should be.
Normally it's the IP of the access point. But if you have the docker setup to do NAT, then it will be a different IP.
... (1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786 length 64 (1) EAP-Message = 0x017900061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x1681adb716f8b4601111af262dd5049b (1) Finished request
Is the packet making it back to the NAS? If not, the docker rules are preventing that.
Docker is nice, but in this case it's adding an extra layer of complexity which is making things more difficult. Fix networking on the docker system, and it will work. This isn't a FreeRADIUS issue.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Elias Pereira
participants (2)
-
Alan DeKok -
Elias Pereira