Warning: CentOS/RedHat 7.4 installs FreeRADIUS 3 with breaking changes

When you run yum upgrade on a CentOS/RedHat 7 instance, you will be upgraded to 7.4. If you have a FreeRADIUS server, you will be upgraded from version 2 to 3, and your server will likely stop authenticating! Good times! Fortunately, the solution was not complicated for us, because we had good documentation.

Symptoms

Your radius server suddenly starts denying logins.

Diagnosis

The configuration file /etc/raddb/radiusd.conf has changed enough between versions 2 and 3 that you cannot re-use the old version. To get radius debugging output, stop the radiusd service, and run (as root):

radiusd -X

 ... lines containing sensitive information redacted ...

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> TRUE
(0)         if (&User-Name =~ /\.\./ )  {
(0)           update request {
(0)             &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(0)           } # update request = noop
(0)           [reject] = reject
(0)         } # if (&User-Name =~ /\.\./ )  = reject
(0)       } # if (&User-Name)  = reject
(0)     } # policy filter_username = reject
(0)   } # authorize = reject
(0) Using Post-Auth-Type Reject

...

Solution

To get freeradius 3 working on CentOS/RedHat 7.4, back up your old radius configuration file, copy the new configuration file, and edit it to make any required changes. It’s possible that you don’t need to make any changes at all. Fortunately, much of the site-specific configuration for RADIUS takes place in other configuration files, which do not need to be updated.

<span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>
systemctl stop radiusd
mv /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.backup
mv /etc/raddb/radiusd.conf.rpmnew /etc/raddb/radiusd.conf
vim /etc/raddb/radiusd.conf
systemctl start radiusd

I hope you have good documentation, or a configuration management system, so that you know what changes need to be made! If unsure, try running radius in debug mode without making any changes at all.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s