Freeradius 3.2.8 on Debian 12 not responding to requests via Relay Agent

David Lake d.lake at surrey.ac.uk
Thu Jul 17 16:41:51 UTC 2025 

And the answer was….

AppArmor.   [🤦 Person Facepalming on Apple iOS 10.2]

Thank you for the very quick response!

David

From: Freeradius-Users <freeradius-users-bounces+d.lake=surrey.ac.uk at lists.freeradius.org> on behalf of David Lake via Freeradius-Users <freeradius-users at lists.freeradius.org>
Date: Thursday, 17 July 2025 at 17:37
To: Alan DeKok <aland at deployingradius.com>, FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Lake, David Dr (FEPS Faculty Admin) <d.lake at surrey.ac.uk>
Subject: Re: Freeradius 3.2.8 on Debian 12 not responding to requests via Relay Agent

OK - that makes a LOT of sense.

I also failed to mention that I have two interfaces and actually the default route back to 192.168.2.0/24 is via eth1, not the port it came in on eth0.   I was wondering if RPF was playing games as well as I am seeing at PTR lookup to 1.2.168.192 on port eth1 which is just odd.

I’ve double checked no iptables active, no ufw.   It’s Debian 12 so no SELinux but AppArmor (just as horrible and not as easy to spell).  Pulled that out now.

I’m also going to have a look at the rp_filter settings on eth0 and eth1 as well now...

Thanks for the pointers!

David

From: Alan DeKok <aland at deployingradius.com>
Date: Thursday, 17 July 2025 at 17:07
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Lake, David Dr (FEPS Faculty Admin) <d.lake at surrey.ac.uk>
Subject: Re: Freeradius 3.2.8 on Debian 12 not responding to requests via Relay Agent

On Jul 17, 2025, at 10:56 AM, David Lake via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I can server hosts locally on 192.168.1.0 and everything works fine.

  That's good.

> However, I’m seeing zero traffic incoming to radius -X even though tcpdump shows that traffic is being received on the eth0 interface (192.168.1.1).  Pcap attached taken on the DHCP server machine.

  This is almost always an SELinux issue, or another permissions issue.  But if the server didn't have permissions to listen on port 67, it would just get an error, and fail to start.

  Which means it's likely an SELinux issue.

  i.e. if the server is listening on the correct port, then the permissions / UID / GID are all correct.  But some magic "security" thing is preventing the server from receiving the packets.

> Is there a config step I am missing?   ss -lunp shows that radiusd is listening on port 67.
>
> My files/dhcp is configured as follows:

  The module configuration doesn't affect how the server receives packets.

  Failure to read packets from the network is pretty much always an OS issue, not a configuration issue.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.freeradius.org%2Flist%2Fusers.html&data=05%7C02%7Cd.lake%40surrey.ac.uk%7C99cce714ae00477e46e808ddc55029a7%7C6b902693107440aa9e21d89446a2ebb5%7C0%7C1%7C638883670268417540%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C60000%7C%7C%7C&sdata=%2FynXKZ7wcZqrzzrgfxFi6TO4ghzrRNkl4BB8LH4MW58%3D&reserved=0<http://www.freeradius.org/list/users.html>

More information about the Freeradius-Users mailing list