Configuration file /etc/freeradius/radiusd.conf is globally writable

Elias Pereira empbilly at gmail.com
Wed May 25 16:57:09 UTC 2022 

hi,

This issue I was able to solve by changing the permissions of the
/etc/freeradius folder.

chmod o-w /etc/freeradius -R

Now, another question that I am beating my head on is why it doesn't
complete the authentication transaction.

(0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812
length 224
(0)   User-Name = "2160239"
(0)   NAS-IP-Address = 172.19.1.94
(0)   NAS-Identifier = "8a455872bf9f"
(0)   Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"

172.22.0.1 - gateway by docker subnet
172.22.0.2 - IP of freeradius container

The first line of the log has a "from 172.22.0.1". Is this IP correct or
should it be the IP of the access point?



-------------------------------

*full log of transaction*
-------------------------------

(0) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812
length 224
(0)   User-Name = "2160239"
(0)   NAS-IP-Address = 172.19.1.94
(0)   NAS-Identifier = "8a455872bf9f"
(0)   Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Service-Type = Framed-User
(0)   Calling-Station-Id = "9A-06-38-29-C2-EB"
(0)   Connect-Info = "CONNECT 0Mbps 802.11b"
(0)   Acct-Session-Id = "79792BDF06BDA9C1"
(0)   Acct-Multi-Session-Id = "ACA3D5010901AE15"
(0)   WLAN-Pairwise-Cipher = 1027076
(0)   WLAN-Group-Cipher = 1027076
(0)   WLAN-AKM-Suite = 1027073
(0)   Framed-MTU = 1400
(0)   EAP-Message = 0x0278000c0132313630323339
(0)   Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0) eap: Peer sent EAP Response (code 2) ID 120 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 121 length 6
(0) eap: EAP session adding &reply:State = 0xfc4aea9afc33f386
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) session-state: Saving cached attributes
(0)   Framed-MTU = 994
(0) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786
length 64
(0)   EAP-Message = 0x017900061920
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xfc4aea9afc33f3861568ee456a7f044b
(0) Finished request
Waking up in 4.9 seconds.
(0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122
Waking up in 7.0 seconds.
(0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122
Waking up in 11.0 seconds.
(0) Cleaning up request packet ID 122 with timestamp +72 due to
cleanup_delay was reached
Ready to process requests
(1) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812
length 224
(1)   User-Name = "2160239"
(1)   NAS-IP-Address = 172.19.1.94
(1)   NAS-Identifier = "8a455872bf9f"
(1)   Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   Calling-Station-Id = "9A-06-38-29-C2-EB"
(1)   Connect-Info = "CONNECT 0Mbps 802.11b"
(1)   Acct-Session-Id = "79792BDF06BDA9C1"
(1)   Acct-Multi-Session-Id = "ACA3D5010901AE15"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x0278000c0132313630323339
(1)   Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1)   authorize {
(1) eap: Peer sent EAP Response (code 2) ID 120 length 12
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1)   authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) Initiating new session
(1) eap: Sending EAP Request (code 1) ID 121 length 6
(1) eap: EAP session adding &reply:State = 0x1681adb716f8b460
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) session-state: Saving cached attributes
(1)   Framed-MTU = 994
(1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786
length 64
(1)   EAP-Message = 0x017900061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x1681adb716f8b4601111af262dd5049b
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 122 with timestamp +93 due to
cleanup_delay was reached
Ready to process requests

On Mon, May 23, 2022 at 9:42 AM Elias Pereira <empbilly at gmail.com> wrote:

> Hi,
>
> I have set up an infrastructure with a freeradius container in docker, but
> the error below occurs whenever the container goes up.
>
> Configuration file /etc/freeradius/radiusd.conf is globally writable.
> Refusing to start due to insecure configuration.
>
> I have locally a folder with files from a freeradius server that I use in
> a VM.
>
> These files, via Dockerfile I copy to the container and then change the
> permission of the folder to:
>
> chown -R freerad. /etc/freeradius
>
> I'm not sure if the owner would be just freerad or it would have to be
> root:freerad, or if I have to change the permissions too.
>
> Any ideas?
>
> --
> Elias Pereira
>


-- 
Elias Pereira

More information about the Freeradius-Users mailing list