# FreeRADIUS in jail | Failed opening auth address :: port 1812 bound to server



## bigart (Jan 11, 2021)

Hi,
I'm trying to run FreeRADIUS in jail. Host and jail in the same network.


```
radiusd -fX
...
Failed opening auth address :: port 1812 bound to server default: Protocol not supported
/usr/local/etc/raddb/sites-enabled/default[245]: Error binding to port for :: port 1812
```



```
root@freeradius:/ # sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sendmail   1331  4  tcp4   192.168.1.16:25       *:*
root     smbd       1283  49 tcp4   192.168.1.16:445      *:*
root     smbd       1283  50 tcp4   192.168.1.16:139      *:*
root     nmbd       1279  14 udp4   192.168.1.16:137      *:*
root     nmbd       1279  15 udp4   192.168.1.16:138      *:*
root     nmbd       1279  16 udp4   192.168.1.16:137      *:*
root     nmbd       1279  17 udp4   192.168.1.16:137      *:*
root     nmbd       1279  18 udp4   192.168.1.16:138      *:*
root     nmbd       1279  19 udp4   192.168.1.16:138      *:*
root     syslogd    1244  5  udp4   192.168.1.16:514      *:*
```

Network configuration on host


```
root@jail-host:~ # ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 08:00:27:1f:89:e6
        inet 192.168.1.12 netmask 0xffffff00 broadcast 192.168.1.255
        inet 192.168.1.13 netmask 0xffffffff broadcast 192.168.1.13
        inet 192.168.1.14 netmask 0xffffffff broadcast 192.168.1.14
        inet 192.168.1.15 netmask 0xffffffff broadcast 192.168.1.15
        inet 192.168.1.16 netmask 0xffffffff broadcast 192.168.1.16
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2
        inet 127.0.0.1 netmask 0xff000000
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
```

Network configuration in jail


```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=81009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,VLAN_HWFILTER>
        ether 08:00:27:1f:89:e6
        inet 192.168.1.16 netmask 0xffffffff broadcast 192.168.1.16
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        groups: lo
```


```
root@freeradius:/usr/local/etc/raddb/mods-enabled # sockstat | grep 1812
root@freeradius:/usr/local/etc/raddb/mods-enabled #
```

Ping between host and jail working. As you can see above jail is connect to domain and everything is working.
Firewall for testing purposes on host is turn off.

Where I have to look to find the problem?


----------



## suntzu00 (Jan 11, 2021)

check the radius config files for IPv6 related stuff and disable it/change it to IPv4. it's trying to listen on *:: *


----------



## SirDice (Jan 11, 2021)

Bind the service to the specific jail's IP address.


----------



## bigart (Jan 11, 2021)

thank you,

I resolve the problem by edit /usr/local/etc/raddb/sites-enabled/default and comment all IPv6 settings.

Now I have problem with LDAP:

```
/usr/local/etc/raddb/mods-enabled/ldap[8]: Failed to link to module rlm_ldap': Cannot open "/usr/local/lib/freeradius-3.0.21/rlm_ldap.so"
```

ldap existing in mods enabled.


```
root@freeradius:/usr/local/etc/raddb/mods-enabled # ls
always          detail.log      expiration      mschap          realm           utf8
attr_filter     digest          expr            ntlm_auth       replicate
cache_eap       dynamic_clients files           pap             soh
chap            eap             ldap            passwd          sradutmp
date            echo            linelog         preprocess      unix
detail          exec            logintime       radutmp         unpack
```

I have to install freeradius using ports ?


----------



## SirDice (Jan 11, 2021)

Assuming you mean net/freeradius3, the option is off by default:

```
LDAP=off: LDAP protocol support
```


----------



## bigart (Jan 11, 2021)

SirDice said:


> Assuming you mean net/freeradius3, the option is off by default:
> 
> ```
> LDAP=off: LDAP protocol support
> ```


It's possible to install freeradius-ldap without all freeradius reinstall ?


----------



## SirDice (Jan 11, 2021)

bigart said:


> It's possible to install freeradius-ldap without all freeradius reinstall ?


No, you're going to need to build it from ports too. Packages are built with the default options, so that means the option is off in the package. There is no "slave" port/package that has this option turned on.


----------



## bigart (Jan 11, 2021)

it's possible to resolve TLS problem?


```
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3  [length 0062]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_peap: ERROR: System call (I/O) error (-1)
(2) eap_peap: ERROR: TLS receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
```


----------



## SirDice (Jan 11, 2021)

Did you configure the certificates for it? TLS 1.0 is rather old and typically disabled everywhere nowadays.


----------



## bigart (Jan 11, 2021)

No, I didnt configure any certifactes. Can you give me a tip where to do it?


----------



## SirDice (Jan 11, 2021)

I don't know, never used FreeRADIUS. So I'm going to have to read the documentation to figure it out. Which you should probably do instead of me.


----------



## bigart (Jan 12, 2021)

solution for TLS problem:

edit file /usr/local/etc/raddb/mods-enabled/eap

find and comment this lines:

                #disable_tlsv1_2 = no
                #disable_tlsv1_0 = yes
                #disable_tlsv1_1 = yes
                #disable_tlsv1 = yes

find and change lines:

                tls_min_version = "1.0"
                tls_max_version = "1.3"


----------



## SirDice (Jan 12, 2021)

You really shouldn't use TLS 1.0 and 1.1 anymore, that's why they've been disabled in the configuration. The best way forward is to figure out why one side wants to 'downgrade' the connection from TLS 1.3 to 1.0. Never just blindly enable old and deprecated authentication protocols, that's going to cause problems eventually. 


```
(2) eap_peap: <<< recv TLS 1.3  [length 0062]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
```

Do you have some old hardware/software you're trying to use with RADIUS? That might be a reason why it tried to downgrade the connection.


----------



## bigart (Jan 12, 2021)

SirDice said:


> Do you have some old hardware/software you're trying to use with RADIUS? That might be a reason why it tried to downgrade the connection.


Yes I have old AP/Router - for testing, and there is no option to change TLS for newer ver.
Finally I check the working configuration in Debian machine and there I found this two lines commented too:
#               tls_min_version = "1.0"
#               tls_max_version = "1.2"
I did the same in freebsd jail. It's working but I don't know if it's secure ... ? 

SirDice thank you once again for your help and warning.


----------



## bigart (Jan 12, 2021)

A tip for those who will have a problem with the lack of LDAP (see above) and need to install freeradius *in jail* from ports.

`mount -t nullfs /usr/ports /jails/freeradius/usr/ports/`

/jails/freeradius/usr/ports/ - path to jails


----------



## SirDice (Jan 12, 2021)

bigart said:


> It's working but I don't know if it's secure ... ?


It's somewhat secure, there are just a number of known issues with it and the newer TLS protocols mitigated those. As long as you're aware why you enabled it and for what you can keep an eye on it. Knowing a potential Achilles' heel is quite important.


----------

