Dear PrivacyIdea Community,
I have a clean v3.8.1 installation with a new database, running on a Red Hat 8.4 o/s with apache 2.4. I am also running the freeradius package locally on the same server.
I am able to authenticate and login to the privacyidea portal as well as creating TOTP QR codes for my Active Directory users. However, when I try to authenticate with the external application that requires the MFA functionality, it fails and this is because of an inability to communicate with the local radius service.
I see the following ‘Cant connect to localhost on port 5000’ type errors in a tcpdump network packet capture:
172.30.0.152.1812 > 172.30.0.143.65523: [bad udp cksum 0x59e7 -> 0xe06e!] RADIUS, length: 106
Access-Reject (3), id: 0x03, Authenticator: 02c2fc0c7f6dbd4ce1f7db81a66c9e4b
Reply-Message Attribute (18), length: 86, Value: privacyIDEA request failed: 500 Can't connect to localhost:5000 (Connection refused)
0x0000: 7072 6976 6163 7949 4445 4120 7265 7175
0x0010: 6573 7420 6661 696c 6564 3a20 3530 3020
0x0020: 4361 6e27 7420 636f 6e6e 6563 7420 746f
0x0030: 206c 6f63 616c 686f 7374 3a35 3030 3020
0x0040: 2843 6f6e 6e65 6374 696f 6e20 7265 6675
0x0050: 7365 6429
0x0000: 4500 0086 65c0 0000 4011 bb43 ac1e 0098 E...e...@..C....
0x0010: ac1e 008f 0714 fff3 0072 59e7 0303 006a .........rY....j
0x0020: 02c2 fc0c 7f6d bd4c e1f7 db81 a66c 9e4b .....m.L.....l.K
0x0030: 1256 7072 6976 6163 7949 4445 4120 7265 .VprivacyIDEA.re
0x0040: 7175 6573 7420 6661 696c 6564 3a20 3530 quest.failed:.50
0x0050: 3020 4361 6e27 7420 636f 6e6e 6563 7420 0.Can't.connect.
0x0060: 746f 206c 6f63 616c 686f 7374 3a35 3030 to.localhost:500
0x0070: 3020 2843 6f6e 6e65 6374 696f 6e20 7265 0.(Connection.re
0x0080: 6675 7365 6429 fused)
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@otp-i0adb4a433bcd584f6 certs]#
I guess the problem is with the freeradius configuration within apache and I require a virtual server listening on port 5000 that can receive the request before passing it on to the radius application.
Is there a template for creating an apache virtual server for the radius service on port 5000?
Confirmation of the freeradius package installation:
[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# rpm -qa | grep -i radius
freeradius-perl-3.0.20-12.module+el8.6.0+13617+542eca26.x86_64
freeradius-3.0.20-12.module+el8.6.0+13617+542eca26.x86_64
Is there a particular version of freeradius that I should be installing as version 3.0.20-12 looks a little old.
The latest version appears to be 3.2.2…?
The radius service appears to be up and running despite an error relating to a missing bootstrap directory:
[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# systemctl status radiusd.service
● radiusd.service - FreeRADIUS high performance RADIUS server.
Loaded: loaded (/usr/lib/systemd/system/radiusd.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2023-08-09 19:37:56 BST; 3 days ago
Process: 15251 ExecStart=/usr/sbin/radiusd -d /etc/raddb (code=exited, status=0/SUCCESS)
Process: 15247 ExecStartPre=/usr/sbin/radiusd -C (code=exited, status=0/SUCCESS)
Process: 15246 ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap (code=exited, status=127)
Process: 15244 ExecStartPre=/bin/chown -R radiusd.radiusd /var/run/radiusd (code=exited, status=0/SUCCESS)
Main PID: 15253 (radiusd)
Tasks: 6 (limit: 23388)
Memory: 87.3M
CGroup: /system.slice/radiusd.service
└─15253 /usr/sbin/radiusd -d /etc/raddb
Aug 09 19:37:56 otp-i0a01e224db6a2f3d4 systemd[1]: Starting FreeRADIUS high performance RADIUS server....
Aug 09 19:37:56 otp-i0a01e224db6a2f3d4 sh[15246]: /bin/sh: **/etc/raddb/certs/bootstrap: No such file or directory**
Aug 09 19:37:56 otp-i0a01e224db6a2f3d4 systemd[1]: Started FreeRADIUS high performance RADIUS server..
The ‘/etc/privacyIDEA/rlm_perl.ini’ file contains the following entries:
[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# cat rlm_perl.ini
[Default]
URL = http://localhost:5000/validate/check
The above url expects there to be a local service listening on port 5000 but that is not the case:
[root@otp-i0a01e224db6a2f3d4 privacyIDEA]# netstat -anp | grep -i "listen "
tcp 0 0 172.30.0.216:8301 0.0.0.0:* LISTEN 1142/consul
tcp 0 0 127.0.0.1:8500 0.0.0.0:* LISTEN 1142/consul
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 857/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1145/sshd
tcp 0 0 127.0.0.1:8600 0.0.0.0:* LISTEN 1142/consul
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 856/zabbix_agentd
tcp6 0 0 :::9100 :::* LISTEN 860/node_exporter
tcp6 0 0 :::80 :::* LISTEN 36130/httpd
tcp6 0 0 ::1:53 :::* LISTEN 857/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 1145/sshd
tcp6 0 0 :::10050 :::* LISTEN 856/zabbix_agentd
The service that should be listening on port 5000 is apache and this suggests that I am missing some configuration code or software.
Does that sound correct?
Is this the correct procedure for me to install and configure radius to run locally on my privacyIDEA server?
