Problem: Radius - Since upgrading to 5.2-x login to Radius fails - mschap: Program returned code (1)

Knowledge Base Community
, , , ,
1

Problem

After the upgrade to UCS 5.2-x, errors occur in /var/log/freeradius/radius.log and the login to the radius server is fails. The following error message is logged.

Mon Apr 28 10:28:22 2025 : Auth: (108612) Login incorrect (mschap: Program returned code (1) and output ''): [atv.s2845/<via Auth-Type = eap>] (from client external_uni_02 port 0 via TLS tunnel)
Mon Apr 28 10:28:22 2025 : Auth: (108627) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [atv.s2845/<via Auth-Type = eap>] (from client external_uni_02 port 1 cli C0-95-6D-00-00-00)
Mon Apr 28 10:28:22 2025 : ERROR: (108618) mschap: ERROR: Program returned code (1) and output ''
Mon Apr 28 10:28:22 2025 : Auth: (108618) Login incorrect (mschap: Program returned code (1) and output ''): [ipd.s2848/<via Auth-Type = eap>] (from client external_uni_02 port 0 via TLS tunnel)
Mon Apr 28 10:28:22 2025 : Auth: (108630) Login incorrect (eap_peap: The users session was previously rejected: returning reject (again.)): [ipd.s2848/<via Auth-Type = eap>] (from client external_uni_02 port 1 cli 7C-61-30-00-00-00)

Root Cause Bug 58132

Fixed with Erratum 127

Solution

  1. Check if all join scripts have been called. Especially the join script of univention-radius has to be run successfully.
  • univention-check-join-status
  1. Check the permisions of /etc/freeradius.secret and /var/log/univention/radius_ntlm_auth.log. If in doubt, just reset it.
  • ls -lah /etc/freeradius.secret
  • chown freerad:freerad /etc/freeradius.secret
  • chmod 440 /etc/freeradius.secret
  • chown freerad:freerad /var/log/univention/radius_ntlm_auth.log
  • chmod 644 /var/log/univention/radius_ntlm_auth.log
  1. If not already set by the latest univention-radius package, adapt the logrotate settings:
  • ucr set logrotate/radius_ntlm_auth/create="644 freerad freerad"
  1. Restart the Service for the Radius Server and check the /var/log/freeradius/radius.log if the issue is solved.
  • systemctl restart freeradius.service

:stop_sign: 5. Check if the steps 1 - 4 were already sufficient to fix the problem. Do not continue, if your problem is fixed!

Hint

The permissions of the two file are updated every 21 days (every time the server credentials are automatically rotated) resp. nightly:

Correct permissions:
-r--r----- 1 freerad freerad 20 Jun 16 12:40 /etc/freeradius.secret
-rw-r--r-- 1 freerad freerad 0 Jun 22 00:00 /var/log/univention/radius_ntlm_auth.log

Workaround:

If the problem persists, try the following workaround.

  1. You have to stop the Radius server
    systemctl stop freeradius.service

  2. Get into the edit mode for the Radius service
    systemctl edit freeradius

  3. Add this to the systemd service and save.

### Anything between here and the comment below will become the new contents of the file"
[Service]
AmbientCapabilities=CAP_DAC_OVERRIDE
  1. Start the Radius service
    systemctl start freeradius.service
1 Like