FreeRADIUS in jail | Failed opening auth address :: port 1812 bound to server

bigart

Member

Reaction score: 1
Messages: 50

Hi,
I'm trying to run FreeRADIUS in jail. Host and jail in the same network.

Code:
radiusd -fX
...
Failed opening auth address :: port 1812 bound to server default: Protocol not supported
/usr/local/etc/raddb/sites-enabled/default[245]: Error binding to port for :: port 1812


Code:
root@freeradius:/ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sendmail   1331  4  tcp4   192.168.1.16:25       *:*
root     smbd       1283  49 tcp4   192.168.1.16:445      *:*
root     smbd       1283  50 tcp4   192.168.1.16:139      *:*
root     nmbd       1279  14 udp4   192.168.1.16:137      *:*
root     nmbd       1279  15 udp4   192.168.1.16:138      *:*
root     nmbd       1279  16 udp4   192.168.1.16:137      *:*
root     nmbd       1279  17 udp4   192.168.1.16:137      *:*
root     nmbd       1279  18 udp4   192.168.1.16:138      *:*
root     nmbd       1279  19 udp4   192.168.1.16:138      *:*
root     syslogd    1244  5  udp4   192.168.1.16:514      *:*

Network configuration on host

Code:
root@jail-host:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 08:00:27:1f:89:e6
        inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.1.13 netmask 0xffffffff broadcast 192.168.1.13
        inet 192.168.1.14 netmask 0xffffffff broadcast 192.168.1.14
        inet 192.168.1.15 netmask 0xffffffff broadcast 192.168.1.15
        inet 192.168.1.16 netmask 0xffffffff broadcast 192.168.1.16
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

Network configuration in jail

Code:
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 08:00:27:1f:89:e6
        inet 192.168.1.16 netmask 0xffffffff broadcast 192.168.1.16
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo

Code:
root@freeradius:/usr/local/etc/raddb/mods-enabled # sockstat | grep 1812
root@freeradius:/usr/local/etc/raddb/mods-enabled #

Ping between host and jail working. As you can see above jail is connect to domain and everything is working.
Firewall for testing purposes on host is turn off.

Where I have to look to find the problem?
 

suntzu00

Member

Reaction score: 30
Messages: 72

check the radius config files for IPv6 related stuff and disable it/change it to IPv4. it's trying to listen on ::
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

Bind the service to the specific jail's IP address.
 
OP
B

bigart

Member

Reaction score: 1
Messages: 50

thank you,

I resolve the problem by edit /usr/local/etc/raddb/sites-enabled/default and comment all IPv6 settings.

Now I have problem with LDAP:
Code:
/usr/local/etc/raddb/mods-enabled/ldap[8]: Failed to link to module rlm_ldap': Cannot open "/usr/local/lib/freeradius-3.0.21/rlm_ldap.so"

ldap existing in mods enabled.

Code:
root@freeradius:/usr/local/etc/raddb/mods-enabled # ls
always          detail.log      expiration      mschap          realm           utf8
attr_filter     digest          expr            ntlm_auth       replicate
cache_eap       dynamic_clients files           pap             soh
chap            eap             ldap            passwd          sradutmp
date            echo            linelog         preprocess      unix
detail          exec            logintime       radutmp         unpack

I have to install freeradius using ports ?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

Assuming you mean net/freeradius3, the option is off by default:
Code:
  LDAP=off: LDAP protocol support
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

It's possible to install freeradius-ldap without all freeradius reinstall ?
No, you're going to need to build it from ports too. Packages are built with the default options, so that means the option is off in the package. There is no "slave" port/package that has this option turned on.
 
OP
B

bigart

Member

Reaction score: 1
Messages: 50

it's possible to resolve TLS problem?

Code:
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3  [length 0062]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_peap: ERROR: System call (I/O) error (-1)
(2) eap_peap: ERROR: TLS receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

Did you configure the certificates for it? TLS 1.0 is rather old and typically disabled everywhere nowadays.
 
OP
B

bigart

Member

Reaction score: 1
Messages: 50

No, I didnt configure any certifactes. Can you give me a tip where to do it?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

I don't know, never used FreeRADIUS. So I'm going to have to read the documentation to figure it out. Which you should probably do instead of me.
 
OP
B

bigart

Member

Reaction score: 1
Messages: 50

solution for TLS problem:

edit file /usr/local/etc/raddb/mods-enabled/eap

find and comment this lines:

#disable_tlsv1_2 = no
#disable_tlsv1_0 = yes
#disable_tlsv1_1 = yes
#disable_tlsv1 = yes

find and change lines:

tls_min_version = "1.0"
tls_max_version = "1.3"
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

You really shouldn't use TLS 1.0 and 1.1 anymore, that's why they've been disabled in the configuration. The best way forward is to figure out why one side wants to 'downgrade' the connection from TLS 1.3 to 1.0. Never just blindly enable old and deprecated authentication protocols, that's going to cause problems eventually.

Code:
(2) eap_peap: <<< recv TLS 1.3  [length 0062]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version

Do you have some old hardware/software you're trying to use with RADIUS? That might be a reason why it tried to downgrade the connection.
 
OP
B

bigart

Member

Reaction score: 1
Messages: 50

Do you have some old hardware/software you're trying to use with RADIUS? That might be a reason why it tried to downgrade the connection.
Yes I have old AP/Router - for testing, and there is no option to change TLS for newer ver.
Finally I check the working configuration in Debian machine and there I found this two lines commented too:
# tls_min_version = "1.0"
# tls_max_version = "1.2"
I did the same in freebsd jail. It's working but I don't know if it's secure ... ?

SirDice thank you once again for your help and warning.
 
OP
B

bigart

Member

Reaction score: 1
Messages: 50

A tip for those who will have a problem with the lack of LDAP (see above) and need to install freeradius in jail from ports.

mount -t nullfs /usr/ports /jails/freeradius/usr/ports/

/jails/freeradius/usr/ports/ - path to jails
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 10,745
Messages: 36,547

It's working but I don't know if it's secure ... ?
It's somewhat secure, there are just a number of known issues with it and the newer TLS protocols mitigated those. As long as you're aware why you enabled it and for what you can keep an eye on it. Knowing a potential Achilles' heel is quite important.
 
Top