FreeRADIUS will not start

UCS - Univention Corporate Server
#1

I am having some issues with FreeRadius on a slave server. When I try and start FreeRADIUS from the command prompt I get the following error.

Nov 01 14:33:24 vd-ucs systemd[1]: freeradius.service: Control process exited, code=exited status=1
Nov 01 14:33:24 vd-ucs systemd[1]: Failed to start FreeRADIUS multi-protocol policy server.
Nov 01 14:33:24 vd-ucs systemd[1]: freeradius.service: Unit entered failed state.
Nov 01 14:33:24 vd-ucs systemd[1]: freeradius.service: Failed with result 'exit-code'.

When I run “journalctl -xe” I get the following output.

-- Unit freeradius.service has begun starting up.
Nov 01 14:35:09 vd-ucs freeradius[9664]: FreeRADIUS Version 3.0.12
Nov 01 14:35:09 vd-ucs freeradius[9664]: Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
Nov 01 14:35:09 vd-ucs freeradius[9664]: There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
Nov 01 14:35:09 vd-ucs freeradius[9664]: PARTICULAR PURPOSE
Nov 01 14:35:09 vd-ucs freeradius[9664]: You may redistribute copies of FreeRADIUS under the terms of the
Nov 01 14:35:09 vd-ucs freeradius[9664]: GNU General Public License
Nov 01 14:35:09 vd-ucs freeradius[9664]: For more information about these matters, see the file named COPYRIGHT
Nov 01 14:35:09 vd-ucs freeradius[9664]: Starting - reading configuration files ...
Nov 01 14:35:09 vd-ucs freeradius[9664]: Debugger not attached
Nov 01 14:35:09 vd-ucs freeradius[9664]: Creating attribute Unix-Group
Nov 01 14:35:09 vd-ucs freeradius[9664]: Creating attribute LDAP-Group
Nov 01 14:35:09 vd-ucs freeradius[9664]: rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output
Nov 01 14:35:09 vd-ucs freeradius[9664]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"         found in filter l
Nov 01 14:35:09 vd-ucs freeradius[9664]: [/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec"         found in fil
Nov 01 14:35:09 vd-ucs freeradius[9664]: rlm_mschap (mschap): authenticating by calling 'ntlm_auth'
Nov 01 14:35:09 vd-ucs freeradius[9664]: rlm_ldap: libldap vendor: OpenLDAP, version: 20445
Nov 01 14:35:09 vd-ucs freeradius[9664]: rlm_ldap (ldap): Initialising connection pool
Nov 01 14:35:09 vd-ucs freeradius[9664]: Unable to check file "/etc/freeradius/ssl/private.key": Permission denied
Nov 01 14:35:09 vd-ucs freeradius[9664]: rlm_eap_tls: Failed initializing SSL context
Nov 01 14:35:09 vd-ucs freeradius[9664]: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Nov 01 14:35:09 vd-ucs freeradius[9664]: /etc/freeradius/3.0/mods-enabled/eap[23]: Instantiation failed for module "eap"
Nov 01 14:35:09 vd-ucs systemd[1]: freeradius.service: Control process exited, code=exited status=1
Nov 01 14:35:09 vd-ucs systemd[1]: Failed to start FreeRADIUS multi-protocol policy server.
-- Subject: Unit freeradius.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit freeradius.service has failed.
--
-- The result is failed.
Nov 01 14:35:09 vd-ucs systemd[1]: freeradius.service: Unit entered failed state.
Nov 01 14:35:09 vd-ucs systemd[1]: freeradius.service: Failed with result 'exit-code'.

Any help that can be provided is greatly appreciated!

#2

It looks like the permissions on the /etc/freeradius/ssl folder changed. I was able to resolved the issue by chmod 777, which I know grants “everyone” access. Is there anything wrong with leaving it as is? If so can someone tell me the appropriate permissions it should have? Thanks.

#3

FreeRADIUS on UCS (like Debian) runs under the unprivileged user freerad which is also a member of the group with the same name freerad, hence /etc/freeradius/ssl is owned by root:freerad including all files in it. The certificate and private key shouldn’t be widely accessible by anyone or any process so 777 while being a workaround shouldn’t be your permanent fixture. :slight_smile:

The certificate file and the private key have rw permissions to the user (root) and read-only ones for members of the group freerad.

Have you recently had to renew your UCS root CA? That could be one possible source of your issues when you had to replace the root CA and all issued certificates including the one used by FreeRADIUS.

#4

Thanks msi,

I spun up another instance of UCS and pulled the appropriate permission level. For any who runs in this issue, you just need to chmod 2755 to restore the correct permissions to the ssl folder.

Mastodon