Configuration file /etc/freeradius/radiusd.conf is globally writable

Alan DeKok aland at deployingradius.com
Wed May 25 19:36:46 UTC 2022


On May 25, 2022, at 12:57 PM, Elias Pereira <empbilly at gmail.com> wrote:
> This issue I was able to solve by changing the permissions of the
> /etc/freeradius folder.
> 
> chmod o-w /etc/freeradius -R

  The default permissions are that only root can write to the configuration folder.  So if that changed, it's because someone did it manually.

  For security reasons, the server won't start if the configuration files are globally writable.

> Now, another question that I am beating my head on is why it doesn't
> complete the authentication transaction.
> 
> (0) Received Access-Request Id 99 from 172.22.0.1:46786 to 172.22.0.2:1812
> length 224
> (0)   User-Name = "2160239"
> (0)   NAS-IP-Address = 172.19.1.94
> (0)   NAS-Identifier = "8a455872bf9f"
> (0)   Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
> 
> 172.22.0.1 - gateway by docker subnet
> 172.22.0.2 - IP of freeradius container
> 
> The first line of the log has a "from 172.22.0.1". Is this IP correct or
> should it be the IP of the access point?

  It's whatever your networking setup says it should be.

  Normally it's the IP of the access point.  But if you have the docker setup to do NAT, then it will be a different IP.
> ...
> (1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to 172.22.0.1:46786
> length 64
> (1)   EAP-Message = 0x017900061920
> (1)   Message-Authenticator = 0x00000000000000000000000000000000
> (1)   State = 0x1681adb716f8b4601111af262dd5049b
> (1) Finished request

  Is the packet making it back to the NAS?  If not, the docker rules are preventing that.

  Docker is nice, but in this case it's adding an extra layer of complexity which is making things more difficult.  Fix networking on the docker system, and it will work.  This isn't a FreeRADIUS issue.

  Alan DeKok.




More information about the Freeradius-Users mailing list