When you run yum upgrade on a CentOS/RedHat 7 instance, you will be upgraded to 7.4. If you have a FreeRADIUS server, you will be upgraded from version 2 to 3, and your server will likely stop authenticating! Good times! Fortunately, the solution was not complicated for us, because we had good documentation.
Symptoms
Your radius server suddenly starts denying logins.
Diagnosis
The configuration file /etc/raddb/radiusd.conf has changed enough between versions 2 and 3 that you cannot re-use the old version. To get radius debugging output, stop the radiusd service, and run (as root):
radiusd -X
... lines containing sensitive information redacted ...
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> TRUE
(0) if (&User-Name =~ /\.\./ ) {
(0) update request {
(0) &Module-Failure-Message += 'Rejected: User-Name contains multiple ..s'
(0) } # update request = noop
(0) [reject] = reject
(0) } # if (&User-Name =~ /\.\./ ) = reject
(0) } # if (&User-Name) = reject
(0) } # policy filter_username = reject
(0) } # authorize = reject
(0) Using Post-Auth-Type Reject
...
Solution
To get freeradius 3 working on CentOS/RedHat 7.4, back up your old radius configuration file, copy the new configuration file, and edit it to make any required changes. It’s possible that you don’t need to make any changes at all. Fortunately, much of the site-specific configuration for RADIUS takes place in other configuration files, which do not need to be updated.
<span id="mce_SELREST_start" style="overflow:hidden;line-height:0;"></span> systemctl stop radiusd mv /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.backup mv /etc/raddb/radiusd.conf.rpmnew /etc/raddb/radiusd.conf vim /etc/raddb/radiusd.conf systemctl start radiusd
I hope you have good documentation, or a configuration management system, so that you know what changes need to be made! If unsure, try running radius in debug mode without making any changes at all.
Important FreeRADIUS 3 security updates released today! Package freeradius-3.0.17-4 addresses two CVEs with a rating of Important: https://access.redhat.com/security/cve/cve-2019-11234 and https://access.redhat.com/security/cve/cve-2019-11235.