Unable to start radiusd, permission issues, and minimal configuration
Hi, First off I'm having some problems starting radiusd. I first installed the Fedora package then followed the HOWTO[1]: sudo dnf install freeradius Edit /etc/raddb/users adding a 'testing' user radiusd -X Running as a regular user I get some permission errors since it needs files in /etc but neither sudo nor logging in as root allow me to run it either. Its still got permission issues with server.pem tls: Failed reading certificate file "/etc/raddb/certs/server.pem" tls: error:0200100D:system library:fopen:Permission denied tls: error:20074002:BIO routines:file_ctrl:system lib tls: error:140DC002:SSL routines:use_certificate_chain_file:system lib rlm_eap_tls: Failed initializing SSL context rlm_eap (EAP): Failed to initialise rlm_eap_tls /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap" I've also got some additional questions as to how difficult it would be to strip down the configuration, hopefully to a few files? I'm trying to add freeradius to our automated testing framework for wifi, which currently uses hostapd's internal radius server for all EAP tests which is basically two config files. The problem is its not testing against a RADIUS server that you would encounter in real life, like freeradius. So I would like to test against freeradius as well and hopefully catch any subtle differences between the two implementations. The framework runs on a minimal kernel VM and all daemon configurations are held in our upstream project (e.g. dbus, dhcpd, radvd, hostapd etc.). The freeradius config is an entire folder structure with many config files so duplicating that upstream isn't really desired. I've seen "don't modify the config" everywhere, but that aside, is a minimal configuration possible? we only need EAP. Regarldess I'd like to get radiusd running in the first place to test, then I can start the sacrilege of modifying the configuration :) [1] https://wiki.freeradius.org/guide/Basic-configuration-HOWTO
On 01/12/2022 23:24, James Prestwood wrote:
Running as a regular user I get some permission errors since it needs files in /etc but neither sudo nor logging in as root allow me to run it either. Its still got permission issues with server.pem
tls: Failed reading certificate file "/etc/raddb/certs/server.pem" tls: error:0200100D:system library:fopen:Permission denied
Check what the file ownership is for that certificate - and also check radiusd.conf to see what user FreeRADIUS is running as. Once it drops privileges it may no longer have access to read.
I've also got some additional questions as to how difficult it would be to strip down the configuration, hopefully to a few files?
Possible (and fairly easy) when you know what you are doing. If you're just getting started then really not recommended. Stick with the full default config, check it into git or some other version control, and work your want forward. When things break you can then easily go back to previous working versions.
I'm trying to add freeradius to our automated testing framework for wifi, which currently uses hostapd's internal radius server for all EAP tests which is basically two config files. The problem is its not testing against a RADIUS server that you would encounter in real life, like freeradius. So I would like to test against freeradius as well and hopefully catch any subtle differences between the two implementations.
Yes that definitely makes sense.
The framework runs on a minimal kernel VM and all daemon configurations are held in our upstream project (e.g. dbus, dhcpd, radvd, hostapd etc.). The freeradius config is an entire folder structure with many config files so duplicating that upstream isn't really desired. I've seen "don't modify the config" everywhere, but that aside, is a minimal configuration possible? we only need EAP.
Sure, it's definitely possible. But work your way towards it as you get to understand the config. -- Matthew
On Thu, 2022-12-01 at 23:36 +0000, Matthew Newton via Freeradius-Users wrote:
On 01/12/2022 23:24, James Prestwood wrote:
Running as a regular user I get some permission errors since it needs files in /etc but neither sudo nor logging in as root allow me to run it either. Its still got permission issues with server.pem
tls: Failed reading certificate file "/etc/raddb/certs/server.pem" tls: error:0200100D:system library:fopen:Permission denied
Check what the file ownership is for that certificate - and also check radiusd.conf to see what user FreeRADIUS is running as. Once it drops privileges it may no longer have access to read.
Ah the user/group in radiusd.conf was the problem. root/root seems to work.
I've also got some additional questions as to how difficult it would be to strip down the configuration, hopefully to a few files?
Possible (and fairly easy) when you know what you are doing. If you're just getting started then really not recommended.
Stick with the full default config, check it into git or some other version control, and work your want forward. When things break you can then easily go back to previous working versions.
Cool, that was my plan. Thanks, James
On Dec 1, 2022, at 6:24 PM, James Prestwood <prestwoj@gmail.com> wrote:
I've also got some additional questions as to how difficult it would be to strip down the configuration, hopefully to a few files?
You've got to understand what the configuration is doing. But it's not hard. Just take it slowly, deleting files you don't need, or configuration bits you're not using.
I'm trying to add freeradius to our automated testing framework for wifi, which currently uses hostapd's internal radius server for all EAP tests which is basically two config files. The problem is its not testing against a RADIUS server that you would encounter in real life, like freeradius. So I would like to test against freeradius as well and hopefully catch any subtle differences between the two implementations.
I'm not sure what you're trying to catch. hostapd follows the specs, as does FreeRADIUS. And both are *very* widely used. If there's an issue with either one, it will be discovered very quickly.
The framework runs on a minimal kernel VM and all daemon configurations are held in our upstream project (e.g. dbus, dhcpd, radvd, hostapd etc.). The freeradius config is an entire folder structure with many config files so duplicating that upstream isn't really desired. I've seen "don't modify the config" everywhere, but that aside, is a minimal configuration possible? we only need EAP.
The server comes with many files in "mods-available" and "sites-available". If you're not using those, you can delete them. A minimal configuration of the server is maybe 100 lines, plus the EAP module configuration. It just takes time and effort to clean up for your local needs. Alan DeKok.
On Thu, 2022-12-01 at 19:17 -0500, Alan DeKok wrote:
On Dec 1, 2022, at 6:24 PM, James Prestwood <prestwoj@gmail.com> wrote:
I've also got some additional questions as to how difficult it would be to strip down the configuration, hopefully to a few files?
You've got to understand what the configuration is doing. But it's not hard. Just take it slowly, deleting files you don't need, or configuration bits you're not using.
I'm trying to add freeradius to our automated testing framework for wifi, which currently uses hostapd's internal radius server for all EAP tests which is basically two config files. The problem is its not testing against a RADIUS server that you would encounter in real life, like freeradius. So I would like to test against freeradius as well and hopefully catch any subtle differences between the two implementations.
I'm not sure what you're trying to catch. hostapd follows the specs, as does FreeRADIUS. And both are *very* widely used.
If there's an issue with either one, it will be discovered very quickly.
Do professional/corporate networks actually use the hostapd implementation? I'm genuinely curious. Its just very limited on what you can do compared to freeRADIUS. We have had users in the past say their EAP configuration doesn't work when we test the same configuration in our automated testing. So whether this is extra attributes we don't expect, default options that differ between hostapd/freeRADIUS, etc. we just don't know without testing both. In a perfect world you're right, they should be identical in terms of the protocol. What I'm doing now is figuring out if thats actually true :)
The framework runs on a minimal kernel VM and all daemon configurations are held in our upstream project (e.g. dbus, dhcpd, radvd, hostapd etc.). The freeradius config is an entire folder structure with many config files so duplicating that upstream isn't really desired. I've seen "don't modify the config" everywhere, but that aside, is a minimal configuration possible? we only need EAP.
The server comes with many files in "mods-available" and "sites- available". If you're not using those, you can delete them.
A minimal configuration of the server is maybe 100 lines, plus the EAP module configuration. It just takes time and effort to clean up for your local needs.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Dec 1, 2022, at 7:39 PM, James Prestwood <prestwoj@gmail.com> wrote:
Do professional/corporate networks actually use the hostapd implementation? I'm genuinely curious. Its just very limited on what you can do compared to freeRADIUS.
hostapd is best for embedded systems. I can't recall ever seeing it used as the main RADIUS server in a production environment,
We have had users in the past say their EAP configuration doesn't work when we test the same configuration in our automated testing. So whether this is extra attributes we don't expect, default options that differ between hostapd/freeRADIUS, etc. we just don't know without testing both.
It's almost always TLS issues. Differences in OpenSSL versions, etc. EAP and RADIUS are trivial in comparison.
In a perfect world you're right, they should be identical in terms of the protocol. What I'm doing now is figuring out if thats actually true :)
Barring issues with OpenSSL, they should be identical. Everyone uses wpa_supplicant / hostap / freeradius for everything. Alan DeKok.
participants (3)
-
Alan DeKok -
James Prestwood -
Matthew Newton