Configuration file /etc/freeradius/radiusd.conf is globally writable

Elias Pereira empbilly at gmail.com
Thu May 26 17:09:48 UTC 2022 

hi Alan,

Thanks for the help!!

We have several vlans and one of them has subnet 172.19.0.0/24. The docker
on our dockerhost
was also with this subnet and for this reason the conflict occurred. I
changed the default docker
subnet and now PEAP authentication with freeradius is working fine.

On Wed, May 25, 2022 at 4:36 PM Alan DeKok <aland at deployingradius.com>
wrote:

> On May 25, 2022, at 12:57 PM, Elias Pereira <empbilly at gmail.com> wrote:
> > This issue I was able to solve by changing the permissions of the
> > /etc/freeradius folder.
> >
> > chmod o-w /etc/freeradius -R
>
>   The default permissions are that only root can write to the
> configuration folder.  So if that changed, it's because someone did it
> manually.
>
>   For security reasons, the server won't start if the configuration files
> are globally writable.
>
> > Now, another question that I am beating my head on is why it doesn't
> > complete the authentication transaction.
> >
> > (0) Received Access-Request Id 99 from 172.22.0.1:46786 to
> 172.22.0.2:1812
> > length 224
> > (0)   User-Name = "2160239"
> > (0)   NAS-IP-Address = 172.19.1.94
> > (0)   NAS-Identifier = "8a455872bf9f"
> > (0)   Called-Station-Id = "8A-45-58-72-BF-9F:peap-test"
> >
> > 172.22.0.1 - gateway by docker subnet
> > 172.22.0.2 - IP of freeradius container
> >
> > The first line of the log has a "from 172.22.0.1". Is this IP correct or
> > should it be the IP of the access point?
>
>   It's whatever your networking setup says it should be.
>
>   Normally it's the IP of the access point.  But if you have the docker
> setup to do NAT, then it will be a different IP.
> > ...
> > (1) Sent Access-Challenge Id 122 from 172.22.0.2:1812 to
> 172.22.0.1:46786
> > length 64
> > (1)   EAP-Message = 0x017900061920
> > (1)   Message-Authenticator = 0x00000000000000000000000000000000
> > (1)   State = 0x1681adb716f8b4601111af262dd5049b
> > (1) Finished request
>
>   Is the packet making it back to the NAS?  If not, the docker rules are
> preventing that.
>
>   Docker is nice, but in this case it's adding an extra layer of
> complexity which is making things more difficult.  Fix networking on the
> docker system, and it will work.  This isn't a FreeRADIUS issue.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>


-- 
Elias Pereira

More information about the Freeradius-Users mailing list