Configuration file /etc/freeradius/radiusd.conf is globally writable
Elias Pereira
empbilly at gmail.com
Wed May 25 16:57:09 UTC 2022
hi,
This issue I was able to solve by changing the permissions of the
/etc/freeradius folder.
chmod o-w /etc/freeradius -R
Now, another question that I am beating my head on is why it doesn't
complete the authentication transaction.
(0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812
length 224
(0) User-Name = "2160239"
(0) NAS-IP-Address = 172.19.1.94
(0) NAS-Identifier = "8a455872bf9f"
(0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
172.22.0.1 - gateway by docker subnet
172.22.0.2 - IP of freeradius container
The first line of the log has a "from 172.22.0.1". Is this IP correct or
should it be the IP of the access point?
-------------------------------
*full log of transaction*
-------------------------------
(0) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812
length 224
(0) User-Name = "2160239"
(0) NAS-IP-Address = 172.19.1.94
(0) NAS-Identifier = "8a455872bf9f"
(0) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
(0) NAS-Port-Type = Wireless-802.11
(0) Service-Type = Framed-User
(0) Calling-Station-Id = "9A-06-38-29-C2-EB"
(0) Connect-Info = "CONNECT 0Mbps 802.11b"
(0) Acct-Session-Id = "79792BDF06BDA9C1"
(0) Acct-Multi-Session-Id = "ACA3D5010901AE15"
(0) WLAN-Pairwise-Cipher = 1027076
(0) WLAN-Group-Cipher = 1027076
(0) WLAN-AKM-Suite = 1027073
(0) Framed-MTU = 1400
(0) EAP-Message = 0x0278000c0132313630323339
(0) Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0) authorize {
(0) eap: Peer sent EAP Response (code 2) ID 120 length 12
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_peap to process data
(0) eap_peap: (TLS) Initiating new session
(0) eap: Sending EAP Request (code 1) ID 121 length 6
(0) eap: EAP session adding &reply:State = 0xfc4aea9afc33f386
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found. Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) session-state: Saving cached attributes
(0) Framed-MTU = 994
(0) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786
length 64
(0) EAP-Message = 0x017900061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xfc4aea9afc33f3861568ee456a7f044b
(0) Finished request
Waking up in 4.9 seconds.
(0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122
Waking up in 7.0 seconds.
(0) Sending duplicate reply to client dockerhost3 port 46786 - ID: 122
Waking up in 11.0 seconds.
(0) Cleaning up request packet ID 122 with timestamp +72 due to
cleanup_delay was reached
Ready to process requests
(1) Received Access-Request Id 122 from 172.22.0.1:46786 to 172.22.0.2:1812
length 224
(1) User-Name = "2160239"
(1) NAS-IP-Address = 172.19.1.94
(1) NAS-Identifier = "8a455872bf9f"
(1) Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
(1) NAS-Port-Type = Wireless-802.11
(1) Service-Type = Framed-User
(1) Calling-Station-Id = "9A-06-38-29-C2-EB"
(1) Connect-Info = "CONNECT 0Mbps 802.11b"
(1) Acct-Session-Id = "79792BDF06BDA9C1"
(1) Acct-Multi-Session-Id = "ACA3D5010901AE15"
(1) WLAN-Pairwise-Cipher = 1027076
(1) WLAN-Group-Cipher = 1027076
(1) WLAN-AKM-Suite = 1027073
(1) Framed-MTU = 1400
(1) EAP-Message = 0x0278000c0132313630323339
(1) Message-Authenticator = 0xb95517c3495fca5f6865f52dbae18cdd
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(1) authorize {
(1) eap: Peer sent EAP Response (code 2) ID 120 length 12
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1) [eap] = ok
(1) } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: (TLS) Initiating new session
(1) eap: Sending EAP Request (code 1) ID 121 length 6
(1) eap: EAP session adding &reply:State = 0x1681adb716f8b460
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found. Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/default
(1) session-state: Saving cached attributes
(1) Framed-MTU = 994
(1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786
length 64
(1) EAP-Message = 0x017900061920
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x1681adb716f8b4601111af262dd5049b
(1) Finished request
Waking up in 4.9 seconds.
(1) Cleaning up request packet ID 122 with timestamp +93 due to
cleanup_delay was reached
Ready to process requests
On Mon, May 23, 2022 at 9:42 AM Elias Pereira <empbilly at gmail.com> wrote:
> Hi,
>
> I have set up an infrastructure with a freeradius container in docker, but
> the error below occurs whenever the container goes up.
>
> Configuration file /etc/freeradius/radiusd.conf is globally writable.
> Refusing to start due to insecure configuration.
>
> I have locally a folder with files from a freeradius server that I use in
> a VM.
>
> These files, via Dockerfile I copy to the container and then change the
> permission of the folder to:
>
> chown -R freerad. /etc/freeradius
>
> I'm not sure if the owner would be just freerad or it would have to be
> root:freerad, or if I have to change the permissions too.
>
> Any ideas?
>
> --
> Elias Pereira
>
--
Elias Pereira
More information about the Freeradius-Users
mailing list