Localhost Radius Server Connectivity Issues on Port 5000

Dear PrivacyIdea Community,

I have a clean v3.8.1 installation with a new database, running on a Red Hat 8.4 o/s with apache 2.4. I am also running the freeradius package locally on the same server.

I am able to authenticate and login to the privacyidea portal as well as creating TOTP QR codes for my Active Directory users. However, when I try to authenticate with the external application that requires the MFA functionality, it fails and this is because of an inability to communicate with the local radius service.

I see the following ‘Cant connect to localhost on port 5000’ type errors in a tcpdump network packet capture: > [bad udp cksum 0x59e7 -> 0xe06e!] RADIUS, length: 106
        Access-Reject (3), id: 0x03, Authenticator: 02c2fc0c7f6dbd4ce1f7db81a66c9e4b
          Reply-Message Attribute (18), length: 86, Value: privacyIDEA request failed: 500 Can't connect to localhost:5000 (Connection refused)
            0x0000:  7072 6976 6163 7949 4445 4120 7265 7175
            0x0010:  6573 7420 6661 696c 6564 3a20 3530 3020
            0x0020:  4361 6e27 7420 636f 6e6e 6563 7420 746f
            0x0030:  206c 6f63 616c 686f 7374 3a35 3030 3020
            0x0040:  2843 6f6e 6e65 6374 696f 6e20 7265 6675
            0x0050:  7365 6429
        0x0000:  4500 0086 65c0 0000 4011 bb43 ac1e 0098  E...e...@..C....
        0x0010:  ac1e 008f 0714 fff3 0072 59e7 0303 006a  .........rY....j
        0x0020:  02c2 fc0c 7f6d bd4c e1f7 db81 a66c 9e4b  .....m.L.....l.K
        0x0030:  1256 7072 6976 6163 7949 4445 4120 7265  .VprivacyIDEA.re
        0x0040:  7175 6573 7420 6661 696c 6564 3a20 3530  quest.failed:.50
        0x0050:  3020 4361 6e27 7420 636f 6e6e 6563 7420  0.Can't.connect.
        0x0060:  746f 206c 6f63 616c 686f 7374 3a35 3030  to.localhost:500
        0x0070:  3020 2843 6f6e 6e65 6374 696f 6e20 7265  0.(Connection.re
        0x0080:  6675 7365 6429                           fused)
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@otp-i0adb4a433bcd584f6 certs]#

I guess the problem is with the freeradius configuration within apache and I require a virtual server listening on port 5000 that can receive the request before passing it on to the radius application.

Is there a template for creating an apache virtual server for the radius service on port 5000?

Confirmation of the freeradius package installation:

[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# rpm -qa | grep -i  radius

Is there a particular version of freeradius that I should be installing as version 3.0.20-12 looks a little old.

The latest version appears to be 3.2.2…?

The radius service appears to be up and running despite an error relating to a missing bootstrap directory:

[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
   Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2023-08-09 19:37:56 BST; 3 days ago
  Process: 15251 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
  Process: 15247 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
  Process: 15246 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=127)
  Process: 15244 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
 Main PID: 15253 (radiusd)
    Tasks: 6 (limit: 23388)
   Memory: 87.3M
   CGroup: /system.slice/radiusd.service
           └─15253 /usr/sbin/radiusd -d /etc/raddb

Aug 09 19:37:56 otp-i0a01e224db6a2f3d4 systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Aug 09 19:37:56 otp-i0a01e224db6a2f3d4 sh[15246]: /bin/sh: **/etc/raddb/certs/bootstrap: No such file or directory**
Aug 09 19:37:56 otp-i0a01e224db6a2f3d4 systemd[1]: Started FreeRADIUS high performance RADIUS server..

The ‘/etc/privacyIDEA/rlm_perl.ini’ file contains the following entries:

[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# cat rlm_perl.ini
URL = http://localhost:5000/validate/check

The above url expects there to be a local service listening on port 5000 but that is not the case:

[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# netstat -anp | grep -i "listen "
tcp        0      0*               LISTEN      1142/consul
tcp        0      0*               LISTEN      1142/consul
tcp        0      0  *               LISTEN      857/dnsmasq
tcp        0      0    *               LISTEN      1145/sshd
tcp        0      0*               LISTEN      1142/consul
tcp        0      0 *               LISTEN      856/zabbix_agentd
tcp6       0      0 :::9100                 :::*                    LISTEN      860/node_exporter
tcp6       0      0 :::80                   :::*                    LISTEN      36130/httpd
tcp6       0      0 ::1:53                  :::*                    LISTEN      857/dnsmasq
tcp6       0      0 :::22                   :::*                    LISTEN      1145/sshd
tcp6       0      0 :::10050                :::*                    LISTEN      856/zabbix_agentd

The service that should be listening on port 5000 is apache and this suggests that I am missing some configuration code or software.

Does that sound correct?

Is this the correct procedure for me to install and configure radius to run locally on my privacyIDEA server?

RADIUS plugin — privacyIDEA 3.8 documentation

Can anyone offer a little advice on the freeradius deployment configuration for a local installation?

Please … :slight_smile:

Hi. Host part of the Url of privacyidea inside rlm_perl.ini should be the same host you’ve used to access privacyidea’s web ui. REST api and web ui by default are running on the same server and host:port